JWT Decoder

How to Use the JWT Decoder

1. Paste Token: Copy a JWT token (starting with "eyJ...") from your API response, authorization header, cookie, or localStorage and paste it into the input field.
2. Decode: Click "Decode" or press Ctrl+Enter. The tool splits the token into its three parts (header, payload, signature) and decodes the Base64URL-encoded header and payload.
3. Inspect Header: See the algorithm (HS256, RS256, ES256, etc.) and token type used for signing.
4. Inspect Payload: View all claims — registered claims (iss, sub, aud, exp, iat, nbf, jti) are parsed and displayed with human-readable timestamps. Custom claims are shown as raw JSON.
5. Check Status: The Token Status section shows whether the token is currently valid or expired, with a countdown showing remaining time until expiry.

Technical Overview & Use Cases

JSON Web Tokens (RFC 7519) consist of three Base64URL-encoded parts separated by dots: header (algorithm + type), payload (claims/data), and signature (cryptographic verification). This decoder performs Base64URL-to-UTF8 conversion with proper padding restoration (replacing - with +, _ with /, and adding = padding). It parses Unix epoch timestamps (iat, exp, nbf) into local date/time strings. Note: this tool decodes but does NOT verify signatures — it reveals what's inside a token without needing the signing secret.

Real-world use cases:

• Authentication debugging: When users report "unauthorized" errors, decode their JWT to check if it's expired, issued for the wrong audience, or missing required claims.
• API development: Inspect tokens issued by your auth server (Auth0, Firebase Auth, Keycloak, Supabase) to verify claim contents match your expected schema before writing validation logic.
• Security auditing: Check if JWTs contain sensitive data in the payload (PII, roles, permissions) that should not be exposed — remember, Base64 is encoding, not encryption. Anyone can decode a JWT.

Privacy & Security Guarantee

This tool is part of the FAK LAB ecosystem, founded by Faizan Ahmad Khan Khichi. JWT decoding happens 100% in your browser using Base64 decoding and JSON parsing. Your tokens — which contain authentication claims, user identifiers, and session data — are never transmitted to any server. No tokens are logged, cached, or exposed. Important: Never paste tokens containing active secrets into online tools that send data to servers — this tool is safe because it's purely client-side.

Frequently Asked Questions

Does this tool verify the JWT signature?

No. Signature verification requires the signing secret (for HMAC) or public key (for RSA/ECDSA), which this tool doesn't have access to. It only decodes and displays the token contents. A decoded token doesn't mean it's valid — verification must happen server-side with the proper key.

Is it safe to decode JWTs in the browser?

Yes — JWT payloads are NOT encrypted, only Base64-encoded. Anyone who possesses the token can read its contents trivially. This is by design: JWTs are meant to carry claims that don't require confidentiality, only integrity (guaranteed by the signature). Sensitive data should never be placed in JWT payloads.

What does the "exp" claim mean?

The "exp" (expiration) claim is a Unix timestamp indicating when the token becomes invalid. After this time, the token should be rejected by servers regardless of its signature validity. Short-lived tokens (15 min - 1 hour) limit damage if a token is stolen. This tool shows whether the token has passed its expiry and by how much.