Skip to content
Kordu Tools Kordu Tools

JWT Decoder

Runs in browser

Decode and inspect JWT tokens — view header, payload, claims, and expiry status without sending data to any server.

Last updated 01 Apr 2026

Paste any JSON Web Token to instantly decode and inspect its header (algorithm and type), payload (all claims including iss, sub, aud, exp, iat, roles, and custom claims), and raw signature. Checks expiry status against the current time. Supports tokens from Auth0, Firebase, Cognito, Supabase, and any JWT-compliant issuer. Fully client-side.

Paste a JWT above to decode it
Loading rating…

How to use

  1. 1

    Copy your JWT token

    Get your JWT from your application's auth state, browser DevTools (Application tab → Cookies or Local Storage), an API client like Postman, or a cURL response.

  2. 2

    Paste the token

    Paste the full JWT string (three Base64url-encoded segments separated by dots) into the input box.

  3. 3

    Inspect the decoded sections

    View the decoded header (signing algorithm and type), the payload (all claims as formatted JSON), and the raw signature bytes.

  4. 4

    Check timestamps and expiry

    The exp and iat timestamps are shown as human-readable dates. The expiry indicator tells you immediately if the token is valid, expired, or has no expiry claim.

  5. 5

    Copy sections for debugging

    Use the Copy button next to each section to copy the decoded JSON to your clipboard for pasting into logs, bug reports, or other tools.

Frequently asked questions

Is it safe to paste my JWT here?
All decoding is done entirely in your browser using JavaScript. Your token is never sent to any server or stored anywhere. However, treat production JWTs with the same care as passwords — decode them in a private tab and avoid sharing screenshots containing live tokens.
What is in a JWT?
A JWT has three Base64url-encoded sections separated by dots. The header contains the signing algorithm (e.g. RS256) and token type. The payload contains claims — key-value pairs like sub (user ID), exp (expiry), roles, and any custom data your auth provider adds. The signature verifies integrity but cannot be decoded as readable text.
Why does my token show as expired?
The exp claim is a Unix timestamp in seconds. If that time is in the past, the token is expired and most servers will return 401. You need to refresh the token or re-authenticate to get a fresh one.
Can this tool verify a JWT signature?
No. Verifying a JWT signature requires the signing secret or public key. That information should never be entered into a browser tool. This tool is for inspection and debugging only — use your server-side JWT library for verification.
What JWT algorithms does this support for decoding?
Any algorithm — HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS512, and EdDSA. The header algorithm field is decoded and displayed, but no cryptographic verification is performed.
Does this work with Auth0, Firebase, Cognito, and Supabase tokens?
Yes. All of these services issue standard JWTs that follow the same RFC 7519 format. Paste the access token or ID token from any of them to inspect the claims.
What is the difference between an access token and an ID token?
An access token authorises API calls and typically contains scopes and roles. An ID token (OpenID Connect) contains user identity claims like name, email, and profile picture. Both are JWTs but serve different purposes — do not use ID tokens for API authorisation.
Can I decode a JWT without the signature?
Yes. If you only have the header and payload (the first two segments), you can paste them with a trailing dot and the decoder will still parse the header and payload. The signature is not needed for decoding — only for verification.
Why is there no verification feature?
JWT verification requires sharing your signing secret or private key with the tool, which creates a security risk. Never enter production secrets into a browser-based tool. Use your backend JWT library (jsonwebtoken, python-jose, golang-jwt) for verified token inspection.

JWT Decoder is the fastest way to inspect a JSON Web Token without writing code.

Paste a token from your application, browser DevTools, API client, or cURL response

and the tool immediately decodes and formats all three sections.

The header section shows the signing algorithm (HS256, RS256, ES256, etc.) and token

type. The payload section displays every claim in formatted JSON: standard registered

claims (iss, sub, aud, exp, nbf, iat, jti) alongside any custom claims your auth

provider adds — roles, permissions, tenant IDs, email addresses, and more. Timestamps

in exp and iat are converted to human-readable dates alongside the raw Unix values.

The expiry status indicator compares the exp claim against the current time and

clearly marks the token as valid, expired, or missing an expiry claim. Useful for

debugging why an API call returns 401 when you expect the session to still be active.

This tool decodes only — it cannot verify the JWT signature because verification

requires the secret key or public key, which should never be pasted into a browser

tool. Use it for inspection and debugging, not for security validation. All decoding

runs client-side; your tokens never leave your browser.

Related tools

Base64 Encoder/Decoder

Encode text or files to Base64 or decode Base64 strings back to plain text — real-time, fully in your browser.

Hash Generator

Generate MD5, SHA-1, SHA-256, and SHA-512 hashes from text or files instantly in your browser.

JSON Formatter

Format, validate, and minify JSON instantly — with configurable indentation, error location, and tree view.

Base64 Decoder

Decode Base64 or Base64URL strings to plain text or download as a binary file. Handles MIME line-wrapping and PEM certificates automatically.

SHA-256 Hash Generator

Generate SHA-256 hashes from text instantly. WebCrypto hardware-accelerated, real-time output. Used in Bitcoin, TLS, and digital signatures. Zero uploads.

Learn more

API Authentication Methods Compared: OAuth, JWT, API Keys

Compare API authentication methods with real HTTP examples. OAuth 2.0, JWT, API keys, and session tokens explained. 78% of breaches involve weak auth.

Base64 Encoding Explained: How It Works and Why

Visual step-by-step guide to Base64 encoding. See how text becomes a 6-bit alphabet used in data URIs, JWTs, and email. Adds ~33% size overhead.