JWT Decoder
Decode any JWT to read its header, payload and claims, humanize expiry dates, spot unsafe tokens and verify HS256 signatures — all locally in your browser. Free and private.
What is the JWT Decoder?
A JWT Decoder splits a JSON Web Token into its three parts — header, payload and signature — and base64url-decodes the first two so you can read what a token actually contains. Toollyz JWT Decoder is a full inspection workspace: it pretty-prints the header and payload with syntax highlighting, lists every claim with a plain-English description, and humanizes the registered date claims (exp, iat, nbf) into readable timestamps with relative times and an at-a-glance status — active, expired or not-yet-valid. It flags unsafe tokens (alg: none), malformed structures and empty signatures, and can verify HS256 signatures right in your browser using the Web Crypto API when you paste the secret. RS256/ES256 tokens are decoded for inspection (verifying those requires the issuer's public key). Everything — decoding, claim analysis and signature verification — happens entirely on your device, so your tokens and secrets are never uploaded.
How to use it
- Paste a JWT (header.payload.signature) into the token box — it decodes as you type.
- Read the colour-coded header and payload, and review every claim with its meaning.
- Check the status badge to see whether the token is active, expired or not yet valid.
- For HS256 tokens, paste the secret and click Verify to confirm the signature locally.
Benefits
- Instant, UTF-8-correct base64url decoding of the header and payload.
- Syntax-highlighted, pretty-printed header and payload with one-click copy.
- Every claim explained, with exp/iat/nbf humanized into readable dates and relative times.
- Clear status — active, expired or not-yet-valid — plus warnings for alg: none and malformed tokens.
- HS256 signature verification in your browser via the Web Crypto API.
- RS256/ES256 tokens decoded for inspection with a clear note on public-key verification.
- Works with bearer tokens, ID tokens and access tokens from any provider.
- 100% private — tokens and secrets never leave your browser, with autosave for your last token.
Frequently asked questions
What is a JWT decoder?
A JWT decoder reads a JSON Web Token and shows you what's inside it. A JWT has three base64url-encoded parts — header, payload and signature — and the decoder reveals the header and payload as readable JSON, along with the claims and their meaning.
How does JWT decoding work?
The token is split on its two dots into header, payload and signature. The header and payload are base64url-decoded (URL-safe base64 without padding) and parsed as JSON. Toollyz then humanizes the standard date claims and surfaces the algorithm, type and validity status.
Does decoding a JWT verify it?
No — decoding just reads the contents, which anyone can do. Verifying proves the token hasn't been tampered with and was signed by a trusted party. This tool can verify HS256 signatures when you supply the secret; for RS256/ES256 you'd need the issuer's public key.
Can I verify the signature?
Yes, for HS256 tokens. Paste the HMAC secret and click Verify — the check runs in your browser with the Web Crypto API and tells you whether the signature matches. RS256 and ES256 tokens are decoded for inspection but not verified, since that requires the issuer's public key.
Is it safe to paste my token here?
Yes. Everything happens locally in your browser — your token and any secret you enter are never sent to a server. That said, treat real production tokens carefully and avoid pasting them into tools you don't trust; this one is fully client-side and open to inspection.
How do I read the expiry (exp) claim?
JWT dates are NumericDate values (seconds since 1970). The decoder converts exp, iat and nbf into human-readable timestamps with a relative time (e.g. “in 2 days” or “3 hours ago”) and shows whether the token is active, expired or not yet valid.
What does “alg: none” mean?
It means the token is unsigned. Such tokens carry no cryptographic guarantee and must never be trusted in production — the decoder shows a clear warning when it sees alg: none.
Does it support modern tokens with Unicode?
Yes. Decoding is UTF-8 aware, so claims containing accented characters, emoji or non-Latin scripts (common in name and email fields) display correctly.
Does it work on mobile?
Yes. The token input, decoded panels, claims table and signature verification are fully responsive and touch-friendly, so you can inspect tokens on any device.
Is this JWT decoder free?
Completely free with no signup and no limits. Decoding, claim analysis and HS256 verification are all available to everyone, privately in your browser.