A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: header (algorithm & token type), payload (claims/data), and signature (cryptographic verification). JWTs are commonly used for API authentication (OAuth 2.0, OpenID Connect).

Is it safe to paste my JWT into this tool?

Yes. All parsing happens entirely in your browser using JavaScript. Your token is never sent to any server, never logged, and never stored. You can verify this by checking your browser's Network tab — zero data is transmitted.

Does decoding a JWT mean it's authentic?

No. Decoding a JWT only reads its contents — the header and payload are Base64URL-encoded, not encrypted. Anyone can decode a JWT. To verify authenticity, you must check the signature using the issuer's secret or public key. This tool helps you inspect the contents, but signature verification should be done server-side.

What do exp, iat, and nbf mean?

exp (expiration): the token expires after this timestamp. iat (issued at): when the token was issued. nbf (not before): the token is not valid before this timestamp. This tool converts these Unix timestamps to human-readable dates and warns if the token is expired or not yet valid.

What does alg: none mean?

alg: "none" means the JWT has no signature — the third part is empty. This is a security risk because anyone can forge a token with arbitrary claims. Always reject tokens with alg: none in production.

Tools

JWT

Paste a JWT token to parse...

JWT Parser

JWT parser and debugger. Decode JSON Web Tokens instantly — view header, payload, and signature in readable format. Inspect registered claims (exp, iat, nbf, iss, sub, aud) with human-readable timestamps. Detects expired tokens, missing expiration, weak algorithms, and alg:none security issues. All processing runs locally in your browser — your tokens never leave your device.

Features

✓Decode JWT header, payload, and signature instantly
✓Inspect registered claims with human-readable timestamps
✓Security warnings — expired tokens, missing exp, alg: none
✓Pretty-printed JSON for header and payload
✓Signature shown in hex bytes
✓All processing runs locally — tokens never leave your device

How to Use

1Paste your JWT token (header.payload.signature) into the input area. Parsing happens automatically.
2Review the decoded header and payload JSON, claims summary, and signature bytes.
3Check warnings for security issues like expired tokens or weak algorithms.

Frequently Asked Questions

Related Tools

Base64 Encode / Decode

Base64 encoder and decoder. Encode text to Base64 or decode Base64 back to readable text with real-time auto-detection. Supports UTF-8 characters including emojis, Chinese, and other non-Latin scripts. Features include drag-and-drop file upload, one-click copy, and download results as text files. All processing runs locally in your browser — your data never leaves your device.

JSON Formatter

JSON formatter, validator, and beautifier. Format, minify, pretty-print, and syntax-highlight JSON data instantly. Features include key sorting, custom indentation (2/4 spaces or tab), line numbers, tree view, error highlighting with line/column position, drag-and-drop file upload, one-click copy/download. All processing runs locally in your browser — no server uploads.

Hash Calculator

Hash calculator supporting 25 algorithms — MD2, MD4, MD5, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, SHA3-224, SHA3-256, SHA3-384, SHA3-512, Keccak-256, Keccak-512, BLAKE2b-256, BLAKE2b-512, BLAKE2s-256, BLAKE3, RIPEMD-160, SM3, Whirlpool, CRC32, Adler-32, xxHash32, and xxHash64. Compute hash digests of any text input in real time. Features include HMAC with a secret key, uppercase/lowercase hex output, hash verification against a known checksum, one-click copy, and download results. All hashing runs locally in your browser — your data never leaves your device.