Does this send my JWT to a server?

No. Decoding runs entirely in your browser. Your token is never transmitted anywhere - this is critical for tokens that may carry session state or sensitive claims.

Why does the signature say 'not verified'?

Verifying a JWT signature requires the secret key (for HMAC algorithms) or the public key (for RSA/EC algorithms). This tool decodes the header and payload without the key, so it cannot verify the signature. Use a server-side library with the correct key to verify tokens in production.

What is the difference between HS256 and RS256?

HS256 uses a shared HMAC-SHA256 secret - the same key signs and verifies. RS256 uses an RSA key pair - the private key signs, the public key verifies. RS256 is preferred for systems where multiple services verify tokens without needing the signing secret.

Can I decode expired tokens?

Yes. Decoding only requires the Base64Url-encoded structure of the token - it does not check the exp claim. Expired tokens still have valid structure and can be fully decoded.

Free Online JWT Decoder & Inspector

Decode • Inspect Claims • Check exp/iat/nbf • Optional HS256/384/512 Verify

Decode and inspect JSON Web Tokens (JWT) locally: header/payload/signature, exp/iat/nbf timestamps, and optional HS256/384/512 verification - no uploads.

JWT (paste token)

Options

Pretty JSON Trim + collapse whitespace Auto-fix Base64URL padding

HS* Verify (optional)

Verify

Decoded

Header

Payload

Signature

About this tool

This free online JWT decoder lets you inspect token header and payload claims instantly, including exp/iat/nbf checks and common structure validation. All decoding runs locally in your browser - no uploads and no server-side processing. Use it to debug authentication flows, verify what your app is actually receiving, and quickly export decoded sections for incident response or logging.

Common use cases

Inspect header and payload claims during OAuth/OpenID debugging
Check token expiration (exp), issued-at (iat), and not-before (nbf)
Confirm issuer (iss), audience (aud), subject (sub), and scopes/roles
Copy or download decoded sections for troubleshooting and reporting
Optionally verify HS256/384/512 signatures when you have the shared secret

How it works

JWTs are three base64url-encoded parts: header, payload, and signature. This tool decodes the header and payload by base64url decoding and JSON parsing, then evaluates time-based claims (exp/iat/nbf) against your local clock. Signature verification is optional: when you provide a shared secret for HS* algorithms, the tool computes the expected HMAC and compares it to the token signature - all locally in the browser.

FAQ

Does this JWT decoder upload my token

No. Decoding and optional verification run locally in your browser.

Does decoding a JWT mean the signature is valid

No. Decoding only reveals the contents. Signature validity requires verification (HS* verify is available when you provide the secret).

Why do exp/iat/nbf checks show as invalid

Most issues come from clock skew, tokens being used too early (nbf), or expired tokens (exp). Confirm your system time and token issuance settings.

Related tools

Base64 Encoder/Decoder — decode individual JWT segments (header, payload, signature) manually
JSON Formatter — format the decoded JSON payload for easier reading
Hash Generator — understand the HMAC-SHA256 signing algorithm behind JWT verification
Secure Paste — share JWT debugging snippets without exposing live tokens