Decode and inspect JWT tokens online without verification. Instantly view the header, payload claims, and expiration date — all processed locally in your browser.
JWT Decoder is a free, browser-based tool
from UseToolSuite's
Encoding & Decoding Tools collection.
All processing happens locally on your device — your data is never uploaded to any server.
Use the tool below, then scroll down for detailed documentation, frequently asked questions, and related resources.
Zero-Knowledge JWT Debugger
The JWT Debugger is an elite, privacy-first utility that lets you decode JSON Web Tokens entirely offline. Because the tool executes exclusively in your browser using native JavaScript and the `Web Crypto API`, your sensitive access tokens, payloads, and cryptographic secrets are never transmitted to any external server.
Cryptographic Signature Verification
Verify the authenticity of your tokens locally. By utilizing the native window.crypto.subtle interface, this tool can instantly validate HMAC SHA-256 (HS256) secrets and RSA (RS256) public key certificates without any backend round-trips. This guarantees absolute zero-knowledge security for your debugging sessions.
HS256 vs RS256: Which algorithm to use
| Feature | HS256 (HMAC) | RS256 (RSA) |
| Key type | Shared secret | Public/private key pair |
| Verification | Requires the secret | Public key only |
| Performance | Faster | Slower (asymmetric) |
| Best for | Single-service apps | Microservices, OIDC, third-party verification |
Use HS256 when the same service creates and verifies tokens. Use RS256 when multiple services need to verify tokens without sharing a secret — common in OAuth 2.0 and OpenID Connect architectures.
The registered claims, decoded
| Claim | Name | What to check |
|---|
iss | Issuer | Matches the auth server you expect |
sub | Subject | The user/principal ID — stable across sessions |
aud | Audience | Contains your service; reject tokens meant for others |
exp | Expiration | Seconds (not ms) since epoch; in the future |
nbf | Not before | Token invalid until this time |
iat | Issued at | Useful for measuring token age |
jti | JWT ID | Unique ID, enables revocation lists |
The most commonly skipped check in real codebases is aud — without it, a token issued for one microservice can be replayed against another service that shares the same signing key.
Debugging the three usual failure modes
Signature invalid: you’re verifying with the wrong key (rotated keys, wrong environment), the wrong algorithm family (HS256 secret used against an RS256 token), or the token was truncated in transit — check for a missing final segment after the second dot.
Token rejected as malformed: JWTs use base64url (- and _) without padding; a token that went through a strict standard-Base64 decoder somewhere in your pipeline gets corrupted. URL-encoding a token inside a query string can also mangle it.
Claims look wrong: decode here and read the raw payload. A surprising number of “auth bugs” are just the issuer putting a claim under a different name (userId vs sub) or nesting custom claims under a namespace URL, as Auth0 and others do.
Token hygiene for builders
Keep payloads small — JWTs travel on every request, and a kilobyte of user profile in the token is a kilobyte of header overhead per call. Set expiry short (minutes for access tokens) and pair with refresh tokens; long-lived bearer tokens are stolen-credential time bombs. And never put secrets in the payload: a JWT is signed, not encrypted — anyone holding it can read everything, exactly as this decoder demonstrates.
How helpful was this tool?
Click to rate
Awesome! Glad it helped.
We don't have a marketing budget. The best way to support this free tool is by sharing it with other developers!
Help us improve!
Sorry it didn't meet your expectations. We're always looking to make these tools better. What was missing or broken?
Open GitHub Issue