What is a JWT?
A JSON Web Token(JWT, pronounced “jot”) is a compact, URL-safe token used to prove identity and carry claims between services — most commonly as the access or ID token in OAuth 2.0 and OpenID Connect logins, and as theAuthorization: Bearer … header your API receives. It is made of three base64url parts joined by dots:
header.payload.signature
- Header — the signing algorithm (
alg) and token type. - Payload — the claims: who the token is for (
sub), who issued it (iss), the audience (aud), and timing (iat,nbf,exp), plus any custom data. - Signature — proves the token was issued by someone holding the secret or private key and has not been altered.
Important: the header and payload are only encoded, not encrypted. Anyone who has the token can read them — so never put passwords or secrets in a JWT payload.
How to use this tool
- Paste the token (a leading
Beareris stripped for you). - Read the decoded Header and Payload. Registered claims are labelled and the timing claims are shown as real dates.
- Check the Active / Expired badge to see if the token is still valid right now.
- To confirm authenticity, enter the HMAC secret (HS*) or paste the issuer’s public key (RS/PS/ES) and press Verify.
Registered claims
| Claim | Meaning |
|---|---|
iss | Issuer — who created and signed the token. |
sub | Subject — the user or entity the token is about. |
aud | Audience — who the token is intended for. |
exp | Expiration time — reject the token after this instant. |
nbf | Not before — the token is invalid until this instant. |
iat | Issued at — when the token was created. |
jti | JWT ID — a unique identifier, useful for revocation. |
exp, nbf and iat are NumericDate values — seconds since 1 Jan 1970 UTC — which this tool converts to your local date and time.
Privacy & security
This decoder is 100% client-side. Your token, secret and keys are processed in your browser and never uploaded. Even so, treat production secrets and private keys carefully and rotate any credential you suspect has been exposed.
More developer tools: Base64 Encode/Decode, Hash Generator, JSON Formatter, Unix Timestamp Converter.
Frequently asked questions
Is my token uploaded anywhere?
No. The token is split, base64url-decoded and JSON-parsed entirely in your browser, and signatures are checked with the browser's built-in Web Crypto API. Nothing is sent to any server — safe even for tokens that contain personal data.
What does decoding a JWT actually show?
A JWT has three dot-separated parts: a header (which signing algorithm was used), a payload (the claims — who the token is for, when it was issued and when it expires), and a signature. Decoding reveals the header and payload, which are only base64url-encoded, not encrypted — anyone can read them.
Does decoding mean the token is valid?
No. Decoding just reads the contents. A token is only trustworthy if its signature verifies against the issuer's key AND it has not expired. Use the Verify section to confirm the signature, and check the Active / Expired badge for timing.
Which algorithms can you verify?
HMAC (HS256, HS384, HS512) using a shared secret, RSA (RS256/384/512 and PS256/384/512) and ECDSA (ES256/384/512) using the issuer's public key. Paste the public key as a PEM block or as JWK JSON (for example a single key copied from an OpenID Connect JWKS endpoint).
Can I read the signature to get the secret back?
No. The signature is a one-way HMAC or digital signature — you cannot reverse it to recover the secret or private key. Verification only confirms whether a key you already have produced that signature.
Why does my Google / Auth0 / Firebase token fail HMAC verify?
Those providers sign with RS256 (an asymmetric algorithm), not HS256. Select is automatic here — paste the provider's public key (from its JWKS URL) instead of a secret.