How JWT Decoder Works

JWTs are made of three base64url-encoded parts separated by dots: header, payload, and signature. Decoding is simply reversing base64url and parsing JSON. Verification is separate: it checks whether the signature matches the header+payload using the algorithm and key you specify.

Step-by-step

• 1) Paste your token: Add a JWT in the input box. The tool accepts standard three-part tokens and also handles “missing signature” tokens for inspection.
• 2) Decode safely: The tool base64url-decodes the header and payload, parses JSON, and shows readable, pretty-printed output.
• 3) Review claims: It surfaces common fields such as iss, aud, sub, exp, nbf, iat, and jti, and provides warnings for likely issues (for example, an expired token).
• 4) Optional verification: Switch to “Verify signature”, choose (or auto-detect) an algorithm, then paste either an HMAC secret (HS256/HS384/HS512) or an RSA public key (RS256/RS384/RS512).
• 5) Copy or download results: Copy the combined report to your clipboard or download it as a TXT file for audits, tickets, or documentation.

Key Features

Instant header and payload decoding

See the decoded JSON in a clean, readable format. This is ideal for quickly checking the alg, kid, and typ fields in the header and the set of claims in the payload.

Optional signature verification (HS* and RS*)

If you have the secret or public key, you can verify whether the signature matches the token. The tool supports common HMAC algorithms (HS256/384/512) and RSA algorithms (RS256/384/512) using PHP’s built-in cryptography functions.

Claim hints and time checks

The decoder interprets Unix timestamps for exp, nbf, and iat and flags likely problems such as an expired token or a token that is not yet valid. This helps you troubleshoot authentication issues faster.

Pretty-print and raw-safe outputs

Switch between pretty JSON and compact JSON output. The tool never executes token content; it only decodes and formats text for display and copying.

Privacy-first workflow

JWTs often contain sensitive identifiers. Use decoding for inspection and debugging, but avoid pasting production tokens into shared environments. When possible, test with non-sensitive samples or redact values before sharing results.

Use Cases

• Debugging login issues: Confirm that iss, aud, and exp match what your API expects.
• Checking token expiration: Quickly see whether a token is expired, not yet valid, or has an unexpected lifetime.
• Auditing headers: Verify the algorithm in alg and key identifiers like kid during security reviews.
• Validating signature setups: Test whether your HS* secret or RSA public key matches the token you’re issuing.
• Customer support tickets: Produce a readable report (without secrets) to speed up diagnosis and communication.
• Learning and training: Understand how JWT structure maps to claims and why signature verification matters.

Whether you’re working on a small web app or a multi-service platform, a dependable JWT decoder reduces guesswork. It turns an opaque token string into a clear set of fields you can validate against your configuration.

Optimization Tips

Prefer short-lived access tokens

Keep access tokens short-lived and rely on refresh tokens or re-authentication flows. When you decode a token, a very long exp window can be a sign that you should tighten lifetimes to reduce risk.

Validate both claims and signature

Decoding alone does not prove authenticity. For sensitive flows, ensure the signature verifies and then validate claims such as issuer, audience, and time constraints. The “Verify signature” mode helps you confirm keys and algorithms during development and troubleshooting.

Watch for algorithm mismatches

If your services expect RS256 but a token shows HS256 (or vice versa), that mismatch can cause failed authentication or, worse, misconfiguration risks. Always confirm the header’s alg and enforce an allowlist in your application.

FAQ