Decode a JWT Authentication Token
JSON Web Tokens are the standard credential format for REST APIs and OAuth 2.0 flows. Decoding a JWT reveals the algorithm, issuer, subject, expiration time, and any custom claims embedded by the auth server. This tool decodes entirely in the browser — your token never leaves your device. Use it to debug authentication failures by verifying claim values match what your application expects.
Example
eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCIsImtpZCI6ImFiYzEyMyJ9.eyJzdWIiOiJ1c2VyXzQ1NiIsImlzcyI6Imh0dHBzOi8vYXV0aC5leGFtcGxlLmNvbSIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbSIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDAzNjAwLCJzY29wZSI6InJlYWQ6cHJvZmlsZSB3cml0ZTpwb3N0cyIsInJvbGUiOiJlZGl0b3IiLCJlbWFpbCI6InVzZXJAZXhhbXBsZS5jb20ifQ.signature
FAQ
- What is the difference between HS256 and RS256 JWT algorithms?
- HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification. RS256 uses an asymmetric RSA key pair — the server signs with the private key and clients verify with the public key.
- How do I check if a JWT has expired?
- The exp claim is a Unix timestamp in seconds. Compare it to the current time: if exp < Date.now()/1000, the token has expired. The decoder highlights expired tokens automatically.
- Can I decode JWTs from any OAuth provider?
- Yes. Any standards-compliant JWT from Google, Auth0, Cognito, or your own auth server uses the same three-part Base64url encoding and can be decoded with this tool.
Related Examples
OAuth 2.0 Authorization Code Flow
The OAuth 2.0 authorization code flow is the recommended grant type for web appl...
Inspect a JWT Token PayloadA JWT consists of three Base64url-encoded parts; the payload carries all the cla...
Parse CORS HTTP Response HeadersCORS misconfigurations are responsible for a large share of frontend API integra...