DevKnightUtils logo

JWT Decoder

Decode JSON Web Tokens and view their header, payload, and signature.

Why decode JWTs locally?

Use this page to inspect JWTs while debugging authentication flows, API responses, and token-related errors. It is useful for checking claims such as iss, aud, exp, iat, and custom payload fields without pasting the token into a remote decoder.

Decode tokens locally in the browser

JWT decoding on this page happens in the browser. That makes it easier to inspect headers and claims while keeping token handling inside your own session. You should still treat real credentials and production tokens with appropriate care.

What this tool does

JWT debugging is usually urgent: a token expires too early, carries the wrong role or was signed with an unexpected algorithm. This page helps you inspect the token structure safely in the browser so you can understand what your identity provider actually issued.

  • Splits the token into header, payload and signature so each part is easier to inspect.
  • Decodes Base64URL sections without sending auth data to a remote service.
  • Helps developers confirm claims such as sub, iss, aud, iat and exp during auth troubleshooting.

How to use it

  • 1

    Paste the JWT into the input field.

  • 2

    Inspect the header to confirm the algorithm and token type.

  • 3

    Review the payload to check claims, roles and expiry timestamps.

  • 4

    Compare the decoded claims with what your auth server or client application expects.

Example

A developer receives a 401 and needs to verify whether the token already expired or carries the wrong audience.

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9...
Payload includes aud: admin-api and exp: 1711468800, which explains the rejection.

Use cases

  • Checking whether an access token has already expired.
  • Verifying custom claims from Auth0, Keycloak, Cognito or a custom identity service.
  • Confirming that the token audience, issuer and roles match the environment you are testing.

Common mistakes

Treating decode as signature verification

Decoding reveals token contents, but it does not prove the token was signed by a trusted issuer.

Sharing real production tokens in public tools

A JWT may expose emails, IDs, tenant metadata or permissions. Decode it locally whenever possible.

Ignoring time-based claims

Many auth bugs come from exp, iat or clock skew issues rather than from bad credentials.

FAQ

Can this tool verify the JWT signature?

No. It helps you inspect the token contents, but signature verification requires the correct secret or public key.

Is it safe to paste a JWT here?

It is safer than using a server-side decoder because the token stays in your browser, but you should still avoid exposing real production secrets unnecessarily.

Why does the payload look readable if JWT is supposed to be secure?

JWT payloads are encoded, not encrypted, unless you are specifically using JWE. A normal JWT can be read after Base64URL decoding.

What claims should I check first?

Start with iss, aud, sub, exp, nbf and any role or scope claims your application uses for authorization.

Why do I still get 401 after decoding a valid payload?

The token may still fail signature verification, audience checks, issuer checks or expiration checks in your backend.

Privacy and security

  • The token is decoded locally in the browser.
  • No JWT is transmitted to a validation API or remote decoder.
  • This reduces the risk of exposing bearer tokens during debugging.

Related tools

Related tools for the next step in the same workflow:

JWT GeneratorBase64 Encoder/DecoderHash Generator

Next step

Decode the token locally first, then generate a new one or inspect related encodings without leaving DevKnightUtils.

We use Google AdSense and Google Analytics cookies to show relevant ads and collect usage statistics. You can accept or reject non-essential cookies. Read our Privacy Policy for more information.