JWT Decoder & Inspector
Decode and inspect JSON Web Tokens instantly. View the header, payload claims, expiry countdown, and common issues without sending your token to a server.
Signature is not verified - verification requires the secret key and runs server-side. This tool decodes the token client-side only.
What is a JWT Decoder?
A JWT (JSON Web Token) decoder parses the three Base64url-encoded parts of a token - header, payload, and signature - and displays them as readable JSON. JWTs are widely used for authentication: after login, a server issues a signed token that the client sends with every subsequent request. Decoding a JWT lets you inspect the algorithm used, the user identity, the expiry time, and any custom claims without needing the secret key. This tool decodes entirely in your browser - your token is never sent to a server.
JWT structure explained
A JWT is three Base64url strings joined by dots: header.payload.signature. The header specifies the algorithm (alg) - typically HS256 (HMAC-SHA256) or RS256 (RSA-SHA256) - and the token type (typ: "JWT"). The payload contains claims: registered (iss, sub, exp, iat, aud), public, or private. The signature is a cryptographic hash of the header and payload - verifying it requires the secret key and runs server-side.
Frequently Asked Questions
Is it safe to decode a JWT online?
The payload of a JWT is only Base64url-encoded, not encrypted - anyone with the token string can read it. This is by design: the data is public, but the signature ensures it hasn't been tampered with. Avoid pasting tokens containing sensitive personal data (passwords, full card numbers) into any online tool. For debugging, use tokens from dev or staging environments.
What do the standard JWT claims mean?
iss (issuer) - who created the token. sub (subject) - who the token is about, usually a user ID. exp (expiration) - Unix timestamp after which the token is invalid. iat (issued at) - when the token was created. aud (audience) - who the token is intended for. nbf (not before) - token is invalid before this timestamp.
Why can this tool not verify the JWT signature?
Signature verification requires the secret key (for HS256) or the public key (for RS256). This tool runs entirely in the browser with no server-side component, so it cannot access your key. For HS256 verification you need the original shared secret. For RS256, you can verify with the public key from your auth provider's JWKS endpoint.
How do I use JWTs in Laravel?
Laravel Sanctum issues opaque tokens by default, but can be configured to issue JWTs. The most popular package for JWT authentication in Laravel is tymon/jwt-auth. For OAuth 2.0 flows use Laravel Passport, which issues JWTs via its PersonalAccessToken model. Verify tokens with auth()->guard('api')->user().