Ctrl+K

JWT Decoder — Decode and Verify a JWT Online

🔒 Runs in your browser — nothing is sent to a server

JWT decoder that takes any JSON Web Token and reveals its header and payload as JSON in a single click. Paste a token returned by your auth provider or copied from an `Authorization` header, and this JWT token parser splits it on the dots, base64url-decodes the first two segments and parses each as JSON. An optional Verify section checks the signature with HS256/HS384/HS512, RS256 or ES256 when you have the key, and flags tokens past their `exp`. Everything runs 100% inside your browser; your token and key never leave your device, nothing is uploaded, logged or sent to any server.

Two-pane view: input and output side by side

JWT token

Decoded header, payload, signature

Copied!

When to use a JWT decoder

A JWT decoder is the quickest way to understand what is actually inside a token when something misbehaves: checking whether `exp` has passed during a 401 investigation, confirming the `aud` a partner is issuing, verifying a custom claim survived the signing pipeline, inspecting the `kid` your identity provider attached before hitting the JWKS endpoint, or simply reading the `sub` when a token turns up in logs. Running the decode in an offline-first page keeps production tokens off remote servers — the decoded JSON is yours alone.

How decoding and verification work together

A JWT is three segments joined by dots. The header pins down the signing algorithm, the payload carries the claims, and the signature is computed over `base64url(header).base64url(payload)`. Decoding reverses the first two transforms — base64url, then JSON parse — and is always possible without any key. Verification is the second, optional step: the Verify section re-runs the exact signing primitive (`HMAC` for HS256/HS384/HS512, `RSASSA-PKCS1-v1_5` for RS256, `ECDSA` on P-256 for ES256) against the signing input using the secret or public key you provide, and reports whether the stored signature matches. Both steps happen entirely in the browser through the Web Crypto API, so nothing ever leaves the tab.

Examples

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

{
  "header": {
    "alg": "HS256",
    "typ": "JWT"
  },
  "payload": {
    "sub": "1234567890",
    "name": "John Doe",
    "iat": 1516239022
  },
  "signature": "SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
}

Decode JWT token — standard HS256 payload

Input

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImsxIn0.eyJpc3MiOiJodHRwczovL2F1dGguZnJlZS1jb252ZXJ0ZXIub25saW5lIiwiYXVkIjoiYXBpLmt3ZXppdGdhbWVzLmNvbSIsInN1YiI6InVzZXJfNDIiLCJleHAiOjE3NTAwMDAwMDAsImlhdCI6MTc0OTk5NjQwMH0.ignored-signature

Output

{
  "header": {
    "alg": "RS256",
    "typ": "JWT",
    "kid": "k1"
  },
  "payload": {
    "iss": "https://auth.free-converter.online",
    "aud": "api.kwezitgames.com",
    "sub": "user_42",
    "exp": 1750000000,
    "iat": 1749996400
  },
  "signature": "ignored-signature"
}

Parse JWT — RS256 token with standard claims

Input

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhZG1pbkBmcmVlLWNvbnZlcnRlci5vbmxpbmUiLCJyb2xlcyI6WyJhZG1pbiIsImF1ZGl0b3IiXSwic2NvcGUiOiJyZWFkIHdyaXRlIn0.sig

Output

{
  "header": {
    "alg": "HS256"
  },
  "payload": {
    "sub": "admin@free-converter.online",
    "roles": [
      "admin",
      "auditor"
    ],
    "scope": "read write"
  },
  "signature": "sig"
}

View JWT payload — custom claims with roles

FAQ

How do I decode a JWT token?

Paste the JWT into the input above — this JWT decoder splits the token on its two dots, base64url-decodes the first two segments, and parses each one as JSON. You immediately see the header (algorithm, token type, key id) and the payload (claims like `sub`, `iat`, `exp`). The decode runs entirely in your browser tab.

What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token defined by RFC 7519. It encodes three JSON structures separated by dots: a header describing the signing algorithm, a payload containing claims about the subject, and a signature binding the first two together. JWTs are the default currency of modern authentication — they travel in `Authorization: Bearer` headers and cookies.

How can I view the payload of a JWT?

The payload is the middle segment of the token, between the two dots. Copy the JWT, paste it here, and the decoder will base64url-decode that segment and pretty-print it as JSON. You will see standard claims like `sub` (subject), `iat` (issued-at), `exp` (expiry), `aud` (audience), `iss` (issuer) plus any custom claims your auth server adds such as `roles` or `scope`.

Can I verify the JWT signature here?

Yes — expand the Verify signature section below the output, pick the algorithm (HS256/HS384/HS512 for HMAC, RS256 or ES256), paste the signing secret or the public key in PEM form, and click Verify. A green Signature verified badge means the signature is authentic; a red Signature invalid badge means it has been tampered with or the key is wrong.

Does the verifier also check the token expiry?

Yes. Whenever the payload carries an `exp` claim, the verifier compares it against the current clock after checking the signature and raises a Token expired warning if the token is past its validity window. The signature result and the expiry state are shown independently so you can see a cryptographically valid signature on an expired token.

Is it safe to paste a JWT into an online decoder?

With this decoder, yes — decoding, verification and PEM parsing all run in your browser via the Web Crypto API. The token, secret and public key never reach a server and nothing is logged or cached. A JWT carries authenticated claims, so always verify an online decoder is offline-first before pasting production tokens into any web-based tool.

Why does my decoded JWT show odd characters or fails to parse?

JWT segments are base64url-encoded — a variant that swaps `+` for `-`, `/` for `_`, and drops `=` padding. A common cause of decoding failure is that the token was URL-encoded in transit or wrapped with extra whitespace; decode those first and paste the raw `xxx.yyy.zzz` string. Malformed JSON inside the segments is also surfaced as a parse error here.

What do JWT claims like exp, iat, iss and aud mean?

`iat` (issued-at) and `exp` (expiry) are Unix timestamps that bound the token's validity window. `iss` (issuer) names who minted the token. `aud` (audience) names the API it is meant for. `sub` (subject) identifies the user. `nbf` (not-before) holds issuance back until a future time. RFC 7519 reserves these seven names; everything else in the payload is a custom claim.

Glossary

JWT (JSON Web Token)

A JWT is a compact, URL-safe token of the form `header.payload.signature` defined by RFC 7519. Each of the first two parts is a base64url-encoded JSON object; the third is a cryptographic signature computed over them. JWTs carry authenticated claims between parties without needing a shared session store, which makes them the backbone of most modern API authentication.

JWT header

The JWT header is the first segment of the token and describes the signing algorithm and token type. It always contains an `alg` field (`HS256`, `RS256`, `ES256`, etc.) and usually `typ: "JWT"`; keyed tokens additionally carry a `kid` (key id) so a verifier knows which public key to use. A JWT decoder surfaces the header so you can confirm the algorithm before trusting the payload.

JWT payload (claims)

The JWT payload is the second segment, a JSON object holding the token's claims. RFC 7519 reserves seven claim names — `iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti` — that bound identity and validity; every additional field is a custom claim. When you view a JWT payload through this decoder, the JSON is pretty-printed so nested objects (roles, scopes, tenant metadata) are easy to read.

JWT signature

The JWT signature is the third segment and cryptographically binds the header and payload so tampering can be detected. HS256 uses HMAC with a shared secret; RS256 and ES256 use asymmetric signatures that require a public key to verify. The Verify signature section on this page re-computes the signature and reports whether it matches the token.

JWT verifier

A JWT verifier is any piece of code — or, here, a browser-local tool — that re-computes the signature over `base64url(header).base64url(payload)` with the signing key and compares it to the signature segment of the token. A passing verification proves the token has not been tampered with; a failing one means either the key is wrong or the token has been altered. Expiry (`exp`) is checked separately after the signature.

Base64url

Base64url is the URL-safe variant of base64 used to encode the header and payload of a JWT. It replaces `+` with `-`, `/` with `_`, and strips `=` padding, so the encoded segments can travel in URLs, cookies and HTTP headers without further escaping. Any JWT token parser re-pads the segment and converts those characters back before running a regular base64 decode.

Related tools

JWT Generator

Sign JWT tokens with HS256, RS256 or ES256 using a free online JWT generator

Text to Base64

Encode any text to Base64 — fast, free Base64 encoder

Base64 to Text

Decode Base64 to plain text — fast, free Base64 decoder

URL Encode

Percent-encode text or URLs with a free URL encoder

URL Decode

Decode percent-encoded URL strings with a free URL decoder

JSON Beautify

Pretty-print and format minified JSON with proper 2-space indentation in your browser

JSON Minify

Compress and minify JSON by stripping every byte of optional whitespace

JSON to YAML

Convert JSON data to clean, human-readable YAML format