All Tools About Blog Code Examples MCP Server — Use tools from AI agents
Workflows Paste Anything — Smart Detector Tool Pipeline Builder Bulk / Batch Processor
JSON Tools JSON Formatter & Beautifier JSON Validator JSON to CSV Converter JSON to TypeScript Generator JSON to Python Converter JSON Flatten & Unflatten jq Playground — JSON Processor JSON Mock Data Generator JSON Schema Validator JSONPath Evaluator JSON Schema Generator JSON Patch / Diff Generator
Encoding Tools Base64 Encoder / Decoder URL Encoder / Decoder Hash Generator (MD5/SHA) JWT Decoder HTML Entity Encoder / Decoder Image to Base64 Converter String Escape / Unescape Tool ASCII / Binary / Hex Converter Protobuf Decoder — Wire Format Viewer Encoding Detective — Mojibake Repair
Formatters HTML Beautifier XML Formatter & Validator SQL Formatter & Beautifier CSS Minifier & Beautifier JavaScript Minifier & Beautifier TOML Formatter & Converter YAML Formatter, Validator & Minifier
Generators UUID Generator Password Generator QR Code Generator Lorem Ipsum Generator Cron Expression Generator chmod Calculator Slug / URL Generator .gitignore Generator
Testing Tools Regex Tester Regex Explainer — Plain English
Security Tools HMAC Generator Content Security Policy Generator SSH Key Generator SSL Certificate Decoder CORS Header Builder & Generator
Design Tools Color Picker & Converter Placeholder Image Generator SVG Path Editor & Visualizer
Comparison Tools Diff Checker / Text Compare .env Diff & Merge
Converters JSON-YAML Converter Epoch / Unix Timestamp Converter Markdown to HTML Preview Curl to Fetch/Axios Converter Tailwind CSS Converter OpenAPI to TypeScript Text Case Converter Number Base Converter CSV Viewer & Editor Date & Time Format Converter SQL to MongoDB & N1QL Converter Semver Calculator & Comparator Byte / Size Calculator URL Parser & Builder Glob to Regex Converter Math Expression Evaluator SQL DDL to TypeScript Converter Duration / Time Calculator CSS Unit Converter — px, rem, em, pt, vw, vh JSON to Go Struct Converter HTML to Markdown Converter CSV to SQL Converter SQL to ORM Converter
Reference HTTP Status Code Explorer Git Command Builder GraphQL Schema Explorer MIME Type Lookup
Text Tools Word & Character Counter Text Line Sorter, Deduplicator & Tools
Networking Tools Subnet / CIDR Calculator
DevOps Tools Nginx Config Generator Docker Compose Validator Robots.txt Generator & Validator GitHub Actions YAML Validator

JWT Decoder

Decode and inspect JSON Web Tokens instantly. View header, payload, and expiration. Free, client-side, no signup.

Your data never leaves your browser Available via MCP

Paste a JWT token and click Decode
Next steps
HMAC Generator Base64 JSON Formatter Epoch Converter

How to Use

  1. Paste your JWT token into the input field (starts with eyJ...).
  2. Click Decode to view the header, payload, and signature.
  3. Timestamp fields (iat, exp, nbf) are automatically converted to human-readable dates.
  4. Click Sample to load an example JWT for exploration.

What Is a JWT?

JSON Web Tokens (JWTs, pronounced "jots") are an open standard (RFC 7519) for creating access tokens that assert claims. They are widely used for authentication and authorization in web applications, APIs, and microservices. A JWT allows a server to issue a self-contained token that clients can present to prove their identity without the server needing to look up session state.

JWT Structure

A JWT consists of three parts separated by dots (.):

Header — Contains the signing algorithm (e.g., HS256, RS256) and token type (JWT). This is Base64url-encoded JSON.

Payload — Contains the claims: data about the user or session. Standard claims include sub (subject), iat (issued at), exp (expiration), and iss (issuer). You can also include custom claims. This is also Base64url-encoded JSON.

Signature — Created by signing the encoded header and payload with a secret key (HMAC) or private key (RSA/ECDSA). The signature ensures the token has not been tampered with.

Common JWT Algorithms

  • HS256 (HMAC-SHA256) — Symmetric: the same secret key signs and verifies. Simple but requires secure key sharing.
  • RS256 (RSA-SHA256) — Asymmetric: a private key signs, a public key verifies. Ideal for distributed systems where verifiers should not have signing capability.
  • ES256 (ECDSA-P256) — Asymmetric with smaller keys and signatures than RSA. Increasingly preferred for new systems.
  • EdDSA (Ed25519) — Modern asymmetric algorithm with excellent performance and small signatures.

JWT Security Best Practices

  • Always verify the signature server-side before trusting any claims
  • Set short expiration times (15 minutes for access tokens) and use refresh tokens for longer sessions
  • Never store sensitive data in the payload — it is encoded, not encrypted
  • Validate the iss (issuer) and aud (audience) claims to prevent token misuse across services
  • Use the alg header carefully — always validate it matches your expected algorithm to prevent algorithm confusion attacks

JWTs in Code

In Node.js, the jsonwebtoken package provides jwt.sign() and jwt.verify(). In Python, use PyJWT: jwt.encode() and jwt.decode(). In Go, the golang-jwt/jwt package is the standard choice. Most frameworks (Express, Django, Spring) have JWT middleware for automatic token validation.

Related Tools

JWTs use Base64 encoding for header and payload. Signatures use SHA-256 hashing. Prettify payloads with the JSON Formatter. Convert JWT timestamp claims with the Epoch Converter. Validate JWT payload structure with the JSON Validator. Encode JWTs for URL parameters with the URL Encoder.

Frequently Asked Questions

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (claims/data), and a signature.
Does this tool verify the signature?
No. This tool decodes the header and payload, which are simply Base64url-encoded and not encrypted. Signature verification requires the secret key or public key, which should never be entered into a web tool. Use a server-side library for verification.
Is it safe to paste my JWT here?
Yes. All decoding happens entirely in your browser — no data is sent to any server. However, be aware that JWTs often contain sensitive information like user IDs and roles. Never share JWTs publicly or paste them into untrusted tools.
What do iat, exp, and nbf mean?
These are standard JWT claims representing timestamps in Unix epoch seconds. "iat" (Issued At) is when the token was created. "exp" (Expiration Time) is when the token expires. "nbf" (Not Before) is the earliest time the token should be accepted.
Can JWTs be decrypted?
Standard JWTs (JWS) are signed but not encrypted — the payload is Base64url-encoded and readable by anyone. JWE (JSON Web Encryption) tokens are encrypted, but they are less common. This tool handles standard signed JWTs.

Code Examples

Learn how to use this tool programmatically in your favorite language.

Decode JWT tokens

Verify JWT signatures

Related Tools

Base64 Encoder / Decoder

Encode and decode Base64 strings instantly.

URL Encoder / Decoder

Encode and decode URL components safely.

Hash Generator (MD5/SHA)

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes.

HTML Entity Encoder / Decoder

Encode special characters to HTML entities or decode them back.

Image to Base64 Converter

Convert images to Base64 encoded strings. Output as Data URI, CSS, HTML, or raw Base64.

Use this tool from AI agents. The CodeTidy MCP Server lets Claude, Cursor, and other AI agents use this tool and 46 others directly. One command: npx @codetidy/mcp

Drop file to load