JWT Decoder

Decode and inspect JWT (JSON Web Token) structure without verification for analysis purposes.

JWT Token Input

Paste your JWT token here to decode and inspect its contents

Security Notice:

This tool decodes JWTs without signature verification. Never share sensitive tokens publicly.

Characters: 0

Decoded JWT

JWT structure and payload information

About JWT (JSON Web Tokens)

JWT Structure

  • Header: Contains token type and signing algorithm
  • Payload: Contains claims (user data and metadata)
  • Signature: Ensures token hasn't been tampered with

Format: header.payload.signature

Common Claims

  • sub: Subject (user ID)
  • iss: Issuer (who created the token)
  • aud: Audience (intended recipient)
  • exp: Expiration time
  • iat: Issued at time
  • nbf: Not before time

⚠️ Security Warning

• This tool decodes JWTs without signature verification

• Never share production tokens or sensitive information

• Always verify JWT signatures in production applications

• Treat decoded information as potentially untrusted

A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties — most commonly an authentication server and a client. The ToolEdge JWT Decoder lets you paste any JWT and instantly see its three parts decoded: the header (algorithm and token type), the payload (the actual claims like user ID, issued-at timestamp, and expiry), and the signature. Decoding happens entirely in your browser — your token never leaves your machine and is never logged by our servers.

JWTs are everywhere in modern web development: Auth0, AWS Cognito, Firebase Auth, Supabase, Keycloak, and most custom auth systems issue them. When something is wrong — a 401, a misrouted user, a token that won't refresh — the first debugging step is always to look inside the token. This tool does that without you needing to write a script or trust a third-party site with sensitive payloads.

Common use cases

  • Debugging 401 / 403 errors by inspecting token expiry (`exp`), issuer (`iss`), and audience (`aud`) claims.
  • Verifying that custom claims (roles, permissions, tenant IDs) are set correctly by your identity provider.
  • Comparing tokens from different environments (staging vs production) when an auth flow misbehaves.
  • Inspecting the algorithm in the header (`HS256` vs `RS256`) before validating signatures server-side.
  • Teaching JWT structure to teammates without sending real tokens through a public service.

Frequently asked questions

Yes. The decoder runs entirely in your browser via JavaScript — your token is never sent to ToolEdge servers, never logged, and never stored. That said, never paste production access tokens into any online tool you do not trust the source of. If in doubt, run a local decoder like jq -R 'split(".") | .[0:2] | map(@base64d | fromjson)'.