How to Read and Debug JSON Web Tokens
Decode and inspect JSON Web Tokens privately in your browser. See header, payload, and expiration.
The problem
You're debugging an auth flow and need to see what's inside a JWT. The token is a long eyJ... string — three base64url-encoded parts separated by dots. You need to check the claims, see when it expires, verify the issuer.
The obvious move is to paste it into an online decoder. But JWTs often contain sensitive data — user IDs, email addresses, roles, permissions, session identifiers. Pasting that into someone else's server means sending your auth data to a third party. For a token that's literally your proof of identity, that's a bad trade.
How it works
- Paste your JWT into the input field — the full
eyJhbG...string. - See the decoded header — algorithm (
HS256,RS256, etc.) and token type. - Read the payload — all claims displayed as formatted JSON with standard claims labeled: issuer, subject, audience, expiration.
- Check expiration — the tool shows whether the token is valid or expired, with a human-readable countdown.
- Copy header or payload — one-click copy buttons for the decoded JSON.
Your data never leaves your browser. All processing happens locally.
Why I built it
I decode JWTs constantly — debugging OAuth flows, checking token expiration in API responses, verifying claims match what I expect. Every existing decoder either uploads the token to a server or is buried in ads. For something that handles auth data, I wanted a tool I'd trust with production tokens. This one never sends your data anywhere.
Tips and reference
JWTs use seven registered claims defined in RFC 7519. Here's what each one means:
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who issued the token (e.g. your auth server URL) |
sub | Subject | Who the token is about — usually a user ID |
aud | Audience | Intended recipient — the API or service this token is for |
exp | Expiration | Unix timestamp when the token expires |
nbf | Not Before | Token is not valid before this Unix timestamp |
iat | Issued At | When the token was created |
jti | JWT ID | Unique identifier to prevent token replay |
Important: JWTs are signed, not encrypted. Anyone can read the payload — the signature only proves it hasn't been tampered with. Never put secrets in a JWT payload. And signature verification requires the secret or public key, which this tool doesn't have — it shows you the contents, not whether the signature is valid.
Built with vanilla HTML/JS. No frameworks, no backend, loads instantly.