Realm by Rook|Utilities
    JWT Decoder

    JWT Decoder

    Decode, inspect, and verify JSON Web Tokens — entirely in the browser

    Header
    {
  "alg": "HS256",
  "typ": "JWT"
}
    Payload
    {
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
    Registered claims
    Issued at (iat)
    2018-01-18T01:30:22.000Z (1/18/2018, 1:30:22 AM) · 8 years ago
    Subject (sub)
    1234567890
    Verify signaturealgorithm: HS256
    HMAC — paste your shared secret.

    Misschien vind je het ook leuk

    Base64 Encoder/Decoder

    Encode and decode Base64 strings

    JSON Formatter

    Format and validate JSON data

    Hash Generator

    Generate MD5, SHA1, SHA256 hashes

    About the JWT Decoder

    A JSON Web Token (JWT) is a compact, URL-safe credential format that encodes a signed JSON payload. It's the dominant format for modern authentication (OAuth 2.0, OIDC, API keys). Debugging one usually means decoding the Base64URL segments, checking the expiry, and verifying the signature — this tool does all three without ever sending the token over the network.

    Features

    How it works

    1. Paste a JWT into the input box.
    2. The header and payload appear as formatted JSON with syntax highlighting.
    3. Scroll to 'Registered claims' to see iat / nbf / exp in human-readable form plus expiry warnings.
    4. If the token uses HS256/384/512, paste the secret and click Verify to confirm the signature is valid.

    Use cases

    Frequently asked questions

    Is my JWT sent to a server?

    +

    No. Decoding and HMAC verification both happen in your browser using the Web Crypto API. Tokens are safe to paste here.

    Why can't you verify RS256 / ES256?

    +

    Those algorithms require the issuer's public key, which only the token issuer has. You can verify them on your own server with the public key; our tool handles HMAC (shared-secret) algorithms only.

    What does 'Expires soon' mean?

    +

    A warning shown when the token will expire within the next 5 minutes — a common problem in failing deploys or clock-skew debugging.

    Can I decode any JWT format?

    +

    Yes, any standards-compliant three-part JWT (header.payload.signature) with Base64URL encoding. Malformed tokens produce a clear error.

    Are registered claims required?

    +

    No, JWTs can contain any custom claims. Our analysis table highlights the standard RFC 7519 registered ones; your custom claims still appear in the raw payload view above.