Does the decoder verify the signature?

**No**. Verifying **HS256** needs the secret key, **RS256** needs the public key. The decoder shows **only the structure**. To verify or sign tokens in the browser, use our [JWT signer / verifier](/en/jwt-signer-verifier). If you need an RSA / EC keypair for signing, generate one with the [JWT keypair generator](/en/jwt-keypair-generator).

Does my token go anywhere?

**No**. All decoding **in the browser**: base64url decode + JSON parse. You can **verify in DevTools → Network**: no upload. **This is the key difference vs jwt.io**, which sends the token over the wire.

What do exp / iat / nbf mean?

Three time-related claims: - **exp** (expiration): Unix timestamp when the token **expires** - **iat** (issued at): when it was **issued** - **nbf** (not before): **earliest** time the token becomes valid The decoder shows them as **locale-formatted dates**.

Token shows expired but still works, bug?

Your API may have **clock skew tolerance** (typically 30-60s) or **cache verifications**. If **exp is >5 min in the past** and the token still works, that's a **real API bug**.

What does alg = "none" mean?

A JWT with algorithm **"none"** has **no signature**, anyone can modify it. The classic **"alg=none vulnerability"**. If you see this in **production**, you have a potentially **serious security issue**.

**Partially**. **JWE** (JSON Web Encryption, encrypted payload) has **5 dot-separated sections** instead of 3. The decoder will throw a "shape" error since it sees 5 parts. **Most JWTs in use are JWS** (signed) with 3 sections, JWE is niche.

Why UTF-8 in the JSON?

**JWT spec allows UTF-8** in claims (e.g. accented or non-Latin names in "name"). Decoder goes **base64 → bytes → UTF-8 string → parse JSON**. Without UTF-8, accented characters would garble (Latin-1 artifacts).

How long can a JWT be?

**No technical limit**, but practical: **HTTP cookie ~4 KB, Authorization header ~8 KB**. **Tokens above 2 KB = a red flag**, someone probably stuffed too many claims in. The decoder handles any length.

JWT decoder - free | YourDevTools

JWT decoder

Paste a JSON Web Token, see the header, payload and signature. The decoder runs in your browser, the token never leaves.

JWT token

The token never leaves your browser.

What's inside this JWT token? How do I decode it?

Paste a JWT token, the tool shows the header, payload, and signature. Everything runs in your browser, the token never leaves your device.

This matters because the well-known jwt.io sends tokens over the wire. Pasting a production token there = an invitation to trouble. Here everything is local.

Perfect for debugging authorization: access tokens, refresh tokens, ID tokens from Auth0, Cognito, Firebase, Keycloak.

How to use it

Copy your JWT token (starts with "eyJ..." and has 3 dot-separated sections).

Paste into the text field, parses automatically (no clicking).

On the right you see the header (algorithm + type), on the left the payload (claims: sub, iss, exp, custom claims), the signature below.

Pills at the top show: algorithm (HS256/RS256/...), type (JWT/JWE), issue date (iat), expiration (exp). Expired token = exp pill turns red.

When this is useful

Seven typical situations where a JWT decoder helps you understand what is actually inside the token:

Authorization debugging. You get a token from the backend, want to see the claims (role, organization, scopes).
Auth0 / Cognito / Firebase / Keycloak. Decoding the ID token reveals all user attributes.
Expiry check. Is the refresh token still valid? The exp pill answers.
Code review. A colleague pasted a token in chat, you want to see what's inside before reporting an incident.
Education. See how JWT actually works for people learning authorization.
OAuth 2.0 / OpenID Connect. Parsing Bearer access tokens.
Audit. Exp too long? Wrong scopes? SHA-1 signature?

Questions and answers

No. Verifying HS256 needs the secret key, RS256 needs the public key. The decoder shows only the structure. To verify or sign tokens in the browser, use our JWT signer / verifier. If you need an RSA / EC keypair for signing, generate one with the JWT keypair generator.

What's inside this JWT token? How do I decode it?

Paste a JWT token, the tool shows the header, payload, and signature. Everything runs in your browser, the token never leaves your device.

This matters because the well-known jwt.io sends tokens over the wire. Pasting a production token there = an invitation to trouble. Here everything is local.

Perfect for debugging authorization: access tokens, refresh tokens, ID tokens from Auth0, Cognito, Firebase, Keycloak.

How to use it

Copy your JWT token (starts with "eyJ..." and has 3 dot-separated sections).

Paste into the text field, parses automatically (no clicking).

On the right you see the header (algorithm + type), on the left the payload (claims: sub, iss, exp, custom claims), the signature below.

Pills at the top show: algorithm (HS256/RS256/...), type (JWT/JWE), issue date (iat), expiration (exp). Expired token = exp pill turns red.

When this is useful

Seven typical situations where a JWT decoder helps you understand what is actually inside the token:

Authorization debugging. You get a token from the backend, want to see the claims (role, organization, scopes).
Auth0 / Cognito / Firebase / Keycloak. Decoding the ID token reveals all user attributes.
Expiry check. Is the refresh token still valid? The exp pill answers.
Code review. A colleague pasted a token in chat, you want to see what's inside before reporting an incident.
Education. See how JWT actually works for people learning authorization.
OAuth 2.0 / OpenID Connect. Parsing Bearer access tokens.
Audit. Exp too long? Wrong scopes? SHA-1 signature?

Questions and answers

JWT decoder

What's inside this JWT token? How do I decode it?

How to use it

When this is useful

Questions and answers

Related tools

UUID Generator

Password Hashes: MD5, SHA, bcrypt

TOTP 2FA Secret Generator

JWT decoder

What's inside this JWT token? How do I decode it?

How to use it

When this is useful

Questions and answers

Related tools

UUID Generator

Password Hashes: MD5, SHA, bcrypt

TOTP 2FA Secret Generator