FastDevTool

JWT Decoder

Decode and inspect JWT tokens. Never sends data to any server.

How to use the JWT decoder

Paste a JSON Web Token into the token field. The decoder splits the token into its three parts, decodes the Base64URL header and payload, and formats both sections as readable JSON. If the payload includes an exp claim, the page also shows whether the token is expired and when it expires.

Use this when debugging authentication headers, OAuth flows, API requests, cookies, or local development sessions. It is especially helpful when you need to confirm issuer, audience, subject, scopes, roles, tenant IDs, and issued-at timestamps without wiring up server-side logging.

What to inspect first

Start with the header to confirm the algorithm and token type. Then review the payload claims that control access, such as iss, aud, sub, exp, nbf, iat, scope, roles, permissions, organization, or environment.

For authorization bugs, compare a working token against a failing token and look for changed claims, missing scopes, a wrong audience, clock skew around nbf or exp, or a token issued by the wrong identity provider. Copy the decoded header or payload into JSON Formatter if you want to annotate or share a cleaner snippet.

Decoder, not signature verifier

This page is for inspection and debugging. It decodes the token structure, but it does not verify the signature because real verification requires a secret key or public key. A decoded token should never be treated as trusted until your application verifies it with the expected algorithm, issuer, audience, and signing key.

The signature is shown as hexadecimal bytes so you can see that the token includes a third section, but the presence of that section alone does not prove authenticity.

Private browser-side decoding

The token is decoded locally with browser JavaScript. FastDevTool does not send the JWT to a backend, save it, or log its claims.

Even with local processing, avoid pasting active production user tokens when possible. Prefer test tokens, expired tokens, or sanitized examples, especially if a token grants access to customer data, admin systems, or paid APIs.

Related Tools

Frequently Asked Questions

What is a JWT?

+

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. It consists of three Base64URL-encoded parts separated by dots: a header (specifying the algorithm), a payload (containing claims like user ID or expiry time), and a signature that verifies the token has not been tampered with.

What are JWT claims?

+

Claims are statements about an entity (typically a user) stored in the JWT payload. Standard registered claims include iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued-at time), and nbf (not-before time). Applications can also add custom private claims for application-specific data.

Can this tool verify a JWT signature?

+

No — signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256 or ES256), which are not provided to this tool. This decoder only inspects the header and payload, which is useful for debugging claims and expiry times. Never treat an unverified JWT as trusted data.

Is it safe to paste my JWT into an online tool?

+

This tool processes your JWT entirely in your browser — it never sends the token to any server. However, as a general security practice, avoid pasting real production tokens from live user sessions into any online tool, as tokens that haven't expired could be misused if intercepted. Use test or already-expired tokens when possible.

What is the difference between JWT and session cookies?

+

Session cookies store a session ID on the server and look up user data on each request, requiring server-side session storage. JWTs are self-contained: the token itself carries user data and is verified mathematically without a database lookup. JWTs are stateless and work well for distributed systems, but cannot be invalidated before expiry without additional infrastructure like a token denylist.