Free JWT Decoder & Debugger Online
Paste any JSON Web Token to instantly inspect its header, payload, and claims. Built-in expiration check, standard-claim explanations, and 100% client-side decoding — your token never leaves your browser.
Zero Network, Zero Logging
Decoding happens entirely in your browser. We never send your token, header, payload, or signature to any server. Safe for production tokens during debugging.
Instant Expiration Verdict
Automatic check of `exp` and `nbf` claims with human-readable countdowns. Spot expired tokens at a glance instead of squinting at Unix timestamps.
Standard Claim Definitions
RFC 7519 reserved claims (iss, sub, aud, exp, nbf, iat, jti) are highlighted with inline descriptions so you can teach your team or audit a token quickly.
Algorithm + Type Surfacing
Header `alg` and `typ` are extracted and labelled. Identify HS256, RS256, ES256, EdDSA, and risky `alg: none` tokens before they hit your auth middleware.
The Definitive JWT Decoder for Privacy-Conscious Engineers
JSON Web Tokens (JWTs) are the de facto credential format for modern authentication. Whether you are debugging an OAuth2 flow, auditing a Supabase session, inspecting a Firebase auth token, or reverse-engineering an Auth0 redirect, you need a fast, accurate decoder that does not silently log your tokens to a remote server. Our Free Online JWT Decoder & Debugger is built for that exact moment. Decoding runs entirely in your browser — your token, its claims, and its signature stay on your device. Always.
Because JWT segments are base64url-encoded, you can also explore the underlying encoding with our Base64 Decoder. For cryptographic adjacent workflows, pair the decoder with our Hash Generator (SHA-256 is the digest behind HS256 / RS256) and our UUID Generator for generating jti claim values.
Anatomy of a JWT: Three Segments You Must Understand
Header
Declares the signing algorithm (alg) and token type (typ). Always JSON, always base64url-encoded.
Payload
Carries the claims — standard ones from RFC 7519 plus any custom claims your application defines. Visible to anyone, so never put secrets here.
Signature
A keyed digest over the header + payload. Cannot be re-created without the secret or private key. This is what makes the token tamper-evident.
JWT Algorithms: A Quick Reference for Auditors
| Algorithm | Family | Key Type | Typical Use |
|---|---|---|---|
| HS256 | HMAC + SHA-256 | Shared secret | Single-service apps, Supabase, internal systems |
| RS256 | RSA + SHA-256 | Public/private pair | Auth0, AWS Cognito, Firebase, OIDC providers |
| ES256 | ECDSA + P-256 + SHA-256 | Public/private pair | Apple Sign-In, modern OIDC, lower-bandwidth contexts |
| EdDSA | Ed25519 / Ed448 | Public/private pair | High-performance modern systems; smallest signatures |
| none | No signature | N/A | NEVER use in production — historical attack vector |
JWT Security Pitfalls Every Engineer Should Recognize
The alg: none Attack
Verifiers that respect the header's alg claim can be tricked by an attacker who removes the signature and sets alg to none. Always pin to an allow-list of algorithms in your library.
RS256 → HS256 Confusion
If you switch a verifier to accept both, attackers can sign HS256 tokens using your public RSA key as the HMAC secret. Lock the algorithm down at the verifier.
Long-Lived Access Tokens
JWTs cannot be revoked once issued (no per-token state). Keep exp short (minutes, not hours) and rely on refresh tokens stored server-side for re-issuance.
PII in the Payload
The payload is not encrypted — only signed. Anyone with the token can read every claim. Never put passwords, SSNs, or sensitive PII into a JWT payload.
A Reproducible JWT Debugging Workflow
Capture the Token
Grab the Authorization: Bearer value from DevTools or your backend logs.
Decode & Inspect
Paste above. Confirm alg, iss, aud, and exp match what your verifier expects.
Validate Server-Side
Run the token through your real verifier with the correct key. This tool never substitutes for cryptographic verification.
Rotate If Leaked
Once a JWT or signing key is exposed in a screenshot, log, or chat, rotate the key. Stale revocation is the #1 cause of follow-on incidents.