chrisurf logo
Developer Tools

JWT Decoder & Inspector

Paste a JSON Web Token to inspect its header, payload, claims and signature. The whole decoder runs in your browser — your token is never sent over the network, never logged and never stored.

Free Tool100% LocalNo Logging
Privacy: all parsing happens client-side. There is no backend. Open DevTools → Network to verify.

About JWT Decoders

A JSON Web Token (JWT) packs a header, payload and signature into three base64url-encoded segments separated by dots. Decoding the first two segments is trivial — they are just base64-encoded JSON. What matters is understanding what is inside, whether the token has expired, and whether the algorithm is one you actually trust.

What this tool does

  • Header & payload decoding: base64url → JSON, pretty-printed.
  • Standard claim labelling: human-readable names for iss, sub, aud, exp, iat, nbf, jti.
  • Time claim conversion: Unix timestamps shown as ISO 8601 plus a relative time.
  • Validity check: compares exp and nbf with your local clock.
  • Security warning: flags alg: none tokens.

What this tool deliberately does not do

It does not verify the signature. Verification requires the issuer's secret (HMAC) or public key (RSA, ECDSA, EdDSA). Pasting that material into a website you do not control is a bad habit even when the website is honest about being local. Verify signatures in your own application using a vetted JWT library.

Frequently Asked Questions

Is this JWT decoder safe to use with production tokens?
Yes. The decoder runs entirely in your browser. The page makes no network request when you paste a token — open your browser DevTools, switch to the Network tab, paste a token and you will see nothing happen.
Why does the tool not verify the signature?
Verification needs your signing secret or public key. The right place to verify is in your application code, using a maintained library and your own key material — not a tool on the open internet.
What does the "alg: none" warning mean?
A JWT whose header declares alg: none carries no signature at all. It should never be accepted by a production system. The decoder flags it so you can investigate.
What is the difference between iat, nbf and exp?
iat is the time the token was issued, nbf is the earliest time it can be used, and exp is when it expires. All three are Unix timestamps measured in seconds.