Skip to content
TypeParser
All tools

JWT Decoder

Decode, verify, and inspect JSON Web Tokens.

beats jwt.io edge: Live exp countdown + claim explainers + local HS256 verify
encoded.jwt
verify HS256/384/512
signature status
paste a JWT
header
 
 
 
payload
 
 
 
 
 
signature
 
 
 
 
 
  
  
 
  
 
 
 
 Guide 
About JWT Decoder
 
 
Decode any JSON Web Token (JWT) instantly to inspect its header, payload, and signature. Hover any claim for the RFC 7519 explanation, watch a live countdown to <code>exp</code>, and optionally verify HS256/HS384/HS512 signatures by pasting the secret. Everything runs in your browser — your token is never transmitted.
 
What is a JWT?


A JSON Web Token is three base64url-encoded segments separated by dots: header.payload.signature. The header declares the signing algorithm (alg) and key id (kid). The payload holds claims about the subject — who they are, when the token was issued, when it expires. The signature lets a server verify the token has not been tampered with, without storing session state.


A typical token looks like:


eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NSIsImV4cCI6MTcwOTM4MDgwMH0
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c


Decode each segment, you get JSON — except the signature, which stays as raw bytes.


How to use this decoder


Paste any JWT into the input. The decoder splits and base64url-decodes each segment instantly. You get:


    

  • Header — pretty-printed JSON with alg highlighted
    • 

  • Payload — every claim named, with hover tooltips citing the RFC section that defines it
    • 

  • Signature — raw byte length, plus a live countdown to exp if present
    • 

  • Verify — paste the shared secret to run HS256/384/512 verification, or paste a JWK for RS/ES variants
    • 



If the token is malformed (wrong segment count, base64 errors, non-JSON header), you get a precise error pointing at which segment failed.


Common workflows


Debug an auth bug in production. Copy the bearer token from a failing request, paste here, check exp and aud. Most “401 Unauthorized” bugs are clock skew or audience mismatch.


Audit a third-party SSO integration. Paste the ID token, verify the issuer (iss) matches what your code expects, confirm the audience (aud) is your client_id. Drift here is the classic cause of silent auth bypass.


Verify a token without your library. Strip dependencies for a quick check — paste the token, paste the secret, see if the signature holds. We compute the HMAC locally using SubtleCrypto.


Why a local decoder matters


A JWT often contains the user’s email, ID, role, and sometimes session-bound data. Pasting it into a remote decoder means handing that information to whoever runs the site. The original jwt.io decoder runs client-side, but mirrors and clones often do not. TypeParser’s decoder is fully local — open the network tab while you decode and confirm: zero requests.
 
 
Frequently asked questions
 
 
 Is my JWT sent to a server? 
No. Decoding, claim parsing, and HMAC verification all run locally in your browser using the Web Crypto API. We do not log, transmit, or persist the token.
 
 Can I verify RS256 / ES256 signatures? 
HS256/384/512 verification is built in. RS256 and ES256 require the public key in JWK or PEM form — paste the JWK and we will verify locally. JWKS URL fetching is intentionally not supported to keep the tool fully offline.
 
 My JWT shows as expired but it should be valid — why? 
The exp claim is in seconds since the Unix epoch in UTC. Compare against the live countdown shown in the header — if your system clock drifts, the calculation can disagree with your server. Many JWT bugs are clock skew bugs.
 
 What is the difference between JWT and JWS? 
JWS (JSON Web Signature, RFC 7515) is the signing envelope. JWT (RFC 7519) is a set of standard claims (iss, sub, aud, exp, iat, nbf, jti) carried inside a JWS. Almost every "JWT" you see is a signed JWS-JWT.
 
 Why does base64 decode show garbled bytes? 
JWTs use base64url, not standard base64 — + becomes -, / becomes _, and padding is stripped. Standard base64 decoders trip on this. Our decoder handles base64url automatically.
 
 Can I generate a JWT here? 
Not yet — this tool focuses on decoding and verification. For signing, use the HMAC Generator against the canonical header.payload string, or a server-side library like jose.
 
 
 
 
 
Related tools
  
 

Last updated: 2025-01-15