Decode JSON Web Tokens (JWT) Online

A JSON Web Token (JWT) is a base64url-encoded triplet of header, payload and signature. The JWT Decoder splits the three segments, decodes the header and payload, and shows you the JSON contents — issuer, subject, audience, expiry, and any custom claims.

Optionally, yes — fully in your browser. By default the tool just decodes the header and payload. Click Verify signature to validate the token: paste the shared secret for HS256/HS384/HS512, or paste an SPKI PEM public key (BEGIN PUBLIC KEY) for RS/PS/ES algorithms. Verification runs entirely via the browser’s SubtleCrypto API — the key and the token never leave the page. For production secrets, prefer a backend or test environment.

Issued time (iat), expiry status (valid / expires soon / expired) from exp, not-before (nbf), and warnings for weak algorithms (alg: none, missing alg). Standard claims like iss/aud/sub are highlighted if present.

Never. The decode happens entirely in your browser. We have no servers, no logs of your data, and no behavioural analytics on your token contents. Open DevTools → Network and verify it yourself before pasting any token.

You get a clear error: "Not a JWT (expected three base64url segments)" or a parse error pointing to which segment failed (header / payload / signature) — so you can fix the source instead of guessing.

The token never leaves your machine, so technically yes — but treat any access token as sensitive. Prefer test tokens whenever possible, and rotate any token that may have been logged elsewhere.

Yes. The header and payload are decoded regardless of algorithm — that is just base64url. The decoder also supports optional in-browser signature verification for HS256/HS384/HS512 (with a shared secret), RS256/RS384/RS512, PS256/PS384/PS512 and ES256/ES384 (with an SPKI public key). The algorithm is always shown so you can spot weak choices like alg: none.