How do I decode a JWT?

Paste the JWT (three Base64URL segments separated by dots: header.payload.signature) and the decoder splits it, Base64URL-decodes the header and payload into readable JSON, and displays both alongside the raw signature. Standard claims — exp, iat, nbf, iss, sub, aud — are shown with human-readable timestamps so you can immediately see if the token is expired. The decoder does not verify the signature; it only inspects the token contents.

Is the JWT decoder free?

Yes, completely free, no signup, no limits. Paste as many tokens as you need during a debugging session. All PingThat tools — JWT decoder, DNS lookup, SSL checker, IP tools — share one open tier. The decoder is designed to be the fastest way from a suspect token to a readable payload.

Does the JWT decoder upload my token?

No. Decoding a JWT is pure Base64URL → JSON work, done entirely in your browser. Your token — which might be a production access token for an API, or a signed session cookie — is never uploaded or logged. This is the whole point: a cloud service that received your JWT could impersonate the user until the token expired. The decoder stays client-side precisely to avoid that risk.

Can the decoder verify the signature?

The basic decoder displays the header, payload and raw signature, but doesn't validate the signature against a key — doing so requires the issuer's public key (for RS256) or the shared secret (for HS256), which varies per application. Some decoders offer signature verification if you paste the key; that's a separate flow. For decoding alone, no key is needed, and that's what the tool focuses on.

JWT Decoder & Verifier

Your token never leaves your browser. All decoding is done locally.

JWT Token

Verify Signature ?

Secret or public key

Verifies as you type. Your key never leaves your browser.

Paste a JWT above to enable signature verification.

Decode JWT Token Online — Parser & Verifier

Paste a JWT to instantly decode its header, payload and signature. Timestamps (exp, iat, nbf) become human-readable dates and expired tokens are flagged. Paste a shared secret or PEM public key to verify the signature in the browser — HS256, RS256 and ES256 are all supported via the Web Crypto API. The unsafe alg=none algorithm is explicitly rejected.

How to decode and verify a JWT

Paste the JWT token into the input box. The tool splits it into header, payload and signature and decodes the first two parts.
Review the claims (exp, iss, sub, aud) to check the token's validity and origin. Expired tokens are flagged automatically.
Optional: paste the shared secret (HS256) or the issuer's PEM public key (RS256/ES256) into the Verify panel to confirm the signature is authentic.
Verification runs locally with the Web Crypto API — your secret or key is never sent anywhere. A green badge confirms the signature; a red banner explains why it failed (signature mismatch, alg=none, key format error).

Common use cases

Debugging a 401 response by inspecting what claims the client is sending.
Checking whether a JWT is expired before blaming an auth bug on the server.
Auditing a token's payload for unintended PII leakage in its claims.
Verifying a token a third-party service issued by pasting their JWKS public key.
Reading a signed URL's JWT parameter to understand what access it grants.

Frequently asked questions

Can the tool verify the signature?

Yes. Paste the shared secret (HS256) or the issuer's PEM public key (RS256, ES256) into the Verify panel. Verification runs in the browser using the Web Crypto API — your key is never transmitted. The unsafe alg=none algorithm is explicitly refused even when a key is supplied.

Which algorithms are supported for verification?

HS256 (HMAC-SHA-256), RS256 (RSASSA-PKCS1-v1_5 with SHA-256) and ES256 (ECDSA P-256 with SHA-256). These cover the vast majority of JWT traffic. Other algorithms (HS512, RS384, ES384, EdDSA, etc) are reported as unsupported rather than silently failing — you'll see the exact alg name in the error so you know what to verify with another tool.

What does 'exp' mean?

Expiration time (Unix timestamp, RFC 7519 §4.1.4). If exp is in the past, the token is expired and the server should reject it. Mismatched clocks are a common cause of false-positive rejections.

Why is alg=none rejected?

Tokens with alg=none have no cryptographic protection — anyone can craft or modify them. Accepting alg=none is a well-known JWT vulnerability (CVE-2015-9235 and many sequels). The verifier here refuses these tokens unconditionally so you can't accidentally validate one.

Is it safe to paste a production JWT here?

Decoding happens in your browser and verification with Web Crypto stays local too — neither the token nor the key are ever sent over the network. Still, treat any production JWT as a credential: never paste a token you have not already rotated or one belonging to another user, and assume browser extensions can read your tabs.

Is my token or key stored?

No. Decoding and verification both run locally and everything is discarded when you leave the page. There's no server-side storage and no third-party analytics on this input.

How to Decode a JWT Token (Parser & Verifier)

A JWT consists of three Base64URL-encoded parts separated by dots: header (algorithm and type — RFC 7519 §5), payload (claims like subject, expiration and custom data — §4), and signature (RFC 7515 / JWS). JWTs are widely used for authentication and API authorization. The signature is what proves a token has not been tampered with — without verifying it against the issuer's secret or public key, decoded claims should never be trusted.

Header decoding (algorithm, type)
Payload inspection with formatted JSON
Human-readable timestamps
Expiration detection
Signature verification (HS256, RS256, ES256) via Web Crypto
alg=none explicitly rejected — refuses to validate unsigned tokens
Color-coded sections (header, payload, signature)
Copy individual sections
Example token for testing
Privacy-first: token + key never leave your browser

Free. No signup. Browser tools (subnet, JWT, password strength) run locally; lookup tools query public APIs (Cloudflare DoH, RDAP, certificate logs). Full per-tool breakdown at /methodology/.

Sources (3)

Jones, M., Bradley, J., & Sakimura, N. (2015). JSON Web Token (JWT). RFC 7519, IETF.
Jones, M., Bradley, J., & Sakimura, N. (2015). JSON Web Signature (JWS). RFC 7515, IETF.
Jones, M. (2015). JSON Web Algorithms (JWA). RFC 7518, IETF.

These are the IETF RFCs, NIST publications, and W3C standards the tool implements or queries. Locate them on the IETF Datatracker (datatracker.ietf.org) or the official standards body.