Analyse
JWT Parser
The JWT parser decodes JSON Web Tokens and displays their header, payload, and signature in a readable format. It shows all claims including standard ones like exp, iat, sub, and iss, and highlights whether the token is expired. Decoding does not require the signing key — it is purely a base64url decode operation. This makes it safe to inspect tokens for debugging without exposing secrets.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It consists of three base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims about the subject), and the signature (used to verify authenticity). JWTs are widely used for authentication and authorization in web APIs. The payload is not encrypted — only signed — so anyone can decode and read the claims, but only the holder of the private key can produce a valid signature.
How does it work?
The JWT is split on dots, and each section is base64url-decoded and JSON-parsed. The header reveals the signing algorithm (e.g., RS256, HS256, ES256) and token type. The payload lists all claims in a structured table. Standard claims like exp (expiration), iat (issued at), and nbf (not before) are decoded from Unix timestamps to human-readable dates. The signature section is displayed as a hex string; verification against a public key or secret is performed if you optionally provide one.
Typical Use Cases
- Inspecting an access token to see which scopes or roles are included
- Debugging an expired JWT to see the exact expiration time
- Identifying the signing algorithm to troubleshoot verification errors
- Reviewing the issuer and audience claims during OAuth 2.0 integration
Step-by-step Guide
- Step 1: Paste the JWT into the input field.
- Step 2: Review the decoded header to see the algorithm and type.
- Step 3: Inspect the payload claims, including expiration and subject.
- Step 4: Optionally provide a secret or public key to verify the signature.
Example
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwiZXhwIjoxNzAwMDAwMDAwfQ.xxx
Output
Header: {alg: HS256, typ: JWT} | Payload: {sub: 'user123', exp: 2023-11-14 22:13:20}
Tips & Notes
- Never paste production JWTs containing sensitive claims into untrusted online tools — this tool processes everything client-side.
- Check the exp claim first when debugging authentication failures — token expiry is the most common cause.
- The alg: none attack exploits parsers that accept unsigned tokens — always validate the algorithm on the server.
Frequently Asked Questions
Is it safe to decode a JWT in this tool?
This tool processes the JWT entirely in the browser — nothing is sent to a server. However, avoid pasting tokens from production systems that contain sensitive user data into any online tool.
Can I verify the JWT signature without the secret?
No. Signature verification requires either the HMAC secret (for HS256) or the public key (for RS256/ES256). Without it, you can only decode the header and payload, not confirm authenticity.
JWT Parser
Decode and analyze JSON Web Tokens (JWT) — displays header, payload, and signature in a clear layout.
Open Tool