Introduction
The JWT Decoder helps you inspect JSON Web Tokens directly in your browser. Paste a JWT or Bearer token to decode the header and payload, review common claims such as `iss`, `sub`, `aud`, `scope`, `iat`, `nbf`, and `exp`, and quickly spot whether a token looks expired or not yet valid. Everything is processed locally for safer debugging.
How to Use
Paste a full JWT or a Bearer token into the input area. The decoder strips the Bearer prefix if present, splits the token into segments, decodes the Base64URL header and payload, and formats them as readable JSON. Review the claim summary and time claim panels, then copy or download the decoded output if you need to share it in a ticket or compare environments. This tool does not verify the signature, so use it for inspection rather than trust decisions.
Features
- •Decode JWT header and payload claims locally in the browser
- •Accept raw JWT strings and Bearer tokens
- •Readable JSON output for both header and payload sections
- •Time claim inspection for `iat`, `nbf`, and `exp`
- •Quick summary for algorithm, issuer, subject, audience, scope, and key ID
- •Copy or download decoded JSON for debugging workflows
- •Warning states when a token appears expired or not yet valid
- •No server upload and no signature verification side effects
What a JWT Decoder Shows
A JWT usually contains three dot-separated segments: a header, a payload, and a signature. The header describes metadata such as the algorithm and key ID. The payload contains claims used by APIs and applications, such as who the token belongs to, which audience it targets, and when it should be accepted or rejected.
Decode Does Not Mean Verify
Decoding a JWT only means reading the Base64URL-encoded JSON inside the token. It does not prove that the token is authentic, unmodified, or trusted. Signature verification requires the correct secret or public key and must be handled by your application, gateway, or identity layer.
Reading exp, nbf, and iat
The iat claim usually shows when the token was issued. nbf indicates the earliest time the token should be accepted, and exp marks when it should no longer be accepted. These values are normally Unix timestamps in seconds. When debugging environment issues, always compare them with the device or server clock that is actually enforcing access.
Common JWT Debugging Scenarios
A decoder is useful when a Bearer token suddenly fails in staging, when an API returns 401 Unauthorized, when audience values do not match between services, or when a mobile app appears to use an old token after refresh. It is also helpful for checking whether a token is malformed before you start investigating signing keys or session storage.
JWT Segment Reference
Each segment has a different debugging purpose.
| Segment | Usually Contains | Practical Note |
|---|---|---|
| Header | Algorithm, type, key ID | Useful for confirming signing setup and token format |
| Payload | Claims such as iss, sub, aud, exp | Useful for checking authorization context and timing |
| Signature | Cryptographic signature bytes | Can be present without proving trust unless verified |
Common JWT Claims
These are the fields developers most often inspect when a token is rejected.
| Claim | Meaning | Debugging Note |
|---|---|---|
| iss | Issuer | Check whether the token came from the expected identity provider |
| sub | Subject | Usually identifies the user, account, or service principal |
| aud | Audience | Must often match the API or resource that receives the token |
| nbf | Not before | Future values can cause immediate authorization failures |
| exp | Expiration time | Expired tokens are a common cause of 401 responses |
Frequently Asked Questions
Does this JWT decoder verify signatures?
No. It only decodes the readable JSON parts of the token. Signature verification must happen separately with the correct key material.
Are tokens uploaded to a server?
No. The decoder runs locally in your browser and does not send token contents to a server.
Why does a decoded token still fail in my API?
A token can decode correctly but still fail because of signature verification, audience mismatch, issuer mismatch, expiration, not-before timing, clock skew, or missing scopes.
Can this tool read Bearer tokens copied from request headers?
Yes. If the token starts with `Bearer `, the prefix is removed automatically before decoding.
What if my token has only two segments?
Some unsigned or non-standard tokens omit the signature segment. You can still inspect the header and payload, but you should not treat that token as a signed JWT.