JWT Decoder
Decode JSON Web Tokens — inspect header, payload, and signature without a secret.
This tool runs entirely in your browser. Your token is never sent to CodeAva servers and is not stored. Decoding a JWT reads its contents — it does not verify the signature or confirm that the token is trustworthy.
Overview
A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. It consists of three Base64URL-encoded segments — header, payload, and signature — separated by dots. This tool decodes the first two segments so you can read the claims inside a token without needing the signing secret.
Decoding is useful during development and debugging: you can quickly inspect what claims a token carries, check expiry timestamps, confirm the algorithm, or spot unexpected fields. It is not the same as verification. A decoded token with a valid structure may still be forged or expired — only a server holding the secret key can confirm authenticity.
Common claims you will see include sub (subject), exp (expiry), iat (issued at), nbf (not before), and aud (audience). This tool highlights expiry status automatically when an exp claim is present.
Use cases
When to use it
- Debugging auth flowsinspect what claims your server is actually issuing.
- Checking token expiryconfirm exp, iat, and nbf values during integration testing.
- Reviewing token structureverify algorithm, token type, and custom claim fields.
- Diagnosing 401 errorsquickly see whether a token has expired or carries unexpected claims.
When it's not enough
- Signature verificationthis tool does not verify the HMAC or RSA signature — use your auth server for that.
- Authorization decisionsnever grant access based on decoded claims without server-side signature validation.
- Production secret inspectionavoid pasting tokens containing sensitive production credentials into any online tool.
How to use it
- 1
Obtain a JWT
Copy a token from a response header, cookie, localStorage, or your auth provider dashboard.
- 2
Paste it into the input
The token should look like three Base64URL segments separated by dots.
- 3
Click Decode
The header and payload are decoded and displayed with syntax highlighting.
- 4
Inspect the claims
Review sub, exp, iat, aud, and any custom claims. Expiry status is shown automatically.
- 5
Note the signature
The signature segment is shown as-is — it cannot be verified without the secret key.
Common errors and fixes
Invalid JWT — expected 3 dot-separated parts
Check that you have copied the full token including all three segments. Tokens truncated by line wrapping or copy-paste errors are the most common cause.
Failed to decode — invalid Base64URL
The token segments must be Base64URL-encoded. If you manually constructed a token or edited it, the encoding may have been corrupted.
Payload JSON is malformed
Some non-standard JWT implementations include non-JSON payloads. Verify the token was issued by a spec-compliant library.
Token shows as expired immediately
Check that your system clock is correct. JWT exp values are Unix timestamps in UTC — clock drift can cause false expiry readings.
Claims look wrong or missing
Confirm you are decoding the right token type. Access tokens, ID tokens, and refresh tokens carry different claims sets.