toololis
🎫

JWT Decoder

Decode JSON Web Tokens — 100% client-side

Free JWT decoder — 100% client-side, browser-based

Toololis JWT Decoder decodes JSON Web Tokens entirely in your browser. See the header, payload, and signature rendered as formatted JSON. Expiry dates are converted to human-readable time. Your tokens are never sent to any server — safe for debugging production issues.

JWT structure

A JWT has three parts separated by dots: xxxxx.yyyyy.zzzzz.

  • Header — Algorithm (HS256, RS256, etc.) and type (JWT)
  • Payload — Claims: user ID, permissions, expiry, any custom data
  • Signature — HMAC or RSA/ECDSA proof that the token hasn\'t been tampered with

How to use this tool

  1. 1

    Paste the JWT

    Drop your JSON Web Token into the input field. It should look like three base64-encoded chunks separated by dots.

  2. 2

    Read the decoded parts

    Header (algorithm and token type), Payload (claims and data), and Signature — each rendered as formatted JSON.

  3. 3

    Check expiry

    If the payload contains an <code>exp</code> or <code>iat</code> claim, the tool shows human-readable dates and warns if expired.

Standard JWT claims

  • iss — Issuer (who created the token)
  • sub — Subject (typically user ID)
  • aud — Audience (intended recipient)
  • exp — Expiration timestamp (Unix seconds)
  • iat — Issued at timestamp (Unix seconds)
  • nbf — Not before timestamp (token invalid until this time)
  • jti — JWT ID (unique identifier, for revocation)

JWT security best practices

  • Short expiry — Access tokens should expire in 15 minutes or less
  • Use HTTPS — JWTs are bearer tokens; anyone with the token is "you"
  • Rotate signing keys — Key leaks happen; build rotation from day one
  • Don\'t store secrets in payload — Payload is Base64, not encrypted
  • Use refresh tokens — Long-lived refresh + short access token pattern
  • Store in httpOnly cookies — Not in localStorage (XSS attackable)

Frequently Asked Questions

What is a JWT?
JSON Web Token — a compact, URL-safe way to represent claims between two parties. Typically used for authentication: a server issues a signed token, and the client sends it back with each request to prove identity.
Is it safe to paste my token here?
Yes. The decoding happens entirely in your browser using atob() and JSON.parse(). Nothing is sent to any server. However, never paste a production token from a system you don't own — treat tokens like passwords.
Does this verify the signature?
No. Signature verification requires the secret key or public key, which we don't have. This tool only decodes the payload. Verification happens on your backend using a library like jsonwebtoken or jose.
Why is my signature "gibberish"?
The signature is a binary hash (HMAC or RSA/ECDSA), encoded as Base64URL. It's not meant to be human-readable. The only thing that matters is that it validates when checked with the correct key.
What claims are in the payload?
Standard claims include iss (issuer), sub (subject/user), aud (audience), exp (expiry), iat (issued at), nbf (not-before), and jti (unique ID). Custom claims are allowed too — anything the issuer wants to embed.
My JWT shows as expired — what do I do?
Request a new one from your auth server. Most systems refresh automatically via refresh tokens. If you're testing an API manually, log in again and copy the new token.
Can I use this for JWTs with custom claims?
Yes. All claims in the payload are shown, regardless of whether they're standard or custom. Numbers formatted as timestamps (like exp) are also shown as human-readable dates.

You might also like

{ }

JSON Formatter

Format, validate & minify JSON in your browser

.*

Regex Tester

Test regular expressions in real-time

Base64 Encoder / Decoder

Encode or decode Base64 instantly

🔒
100% Privacy. This tool runs entirely in your browser. Your data is never uploaded to any server.