jquery.app
English
EnglishDeutschFrancaisEspanol日本語Nederlands

HTML Tools

Free JWT Decoder and Claims Inspector

A browser-based JWT decoder that decodes the header and payload of JSON Web Tokens without sending data anywhere. Inspect claims like sub, iat, exp, and nbf with automatic timestamp conversion to human-readable dates. The tool warns about insecure algorithms (alg: none) and explains the signature verification status.

Loading tool...

What is JWT Decoder and Claims Inspector?

A browser-based JWT decoder that decodes the header and payload of JSON Web Tokens without sending data anywhere. Inspect claims like sub, iat, exp, and nbf with automatic timestamp conversion to human-readable dates. The tool warns about insecure algorithms (alg: none) and explains the signature verification status.

quickAnswer

Paste a JWT token to decode its header and payload. Timestamps (iat, exp, nbf) are automatically converted to readable dates. All decoding is local — your token is never uploaded.

limitations

  • Does not verify JWT signatures — this tool is for inspection only, not for security validation. Never trust decoded claims without server-side verification.
  • Cannot decode encrypted JWTs (JWE) — only signed JWTs (JWS) with base64url-encoded payloads are supported.
  • Timestamp conversion uses the browser's local timezone — the displayed time may differ from the server's timezone.

How to use this tool

  1. Paste your JWT token into the input area.
  2. Review the decoded header (algorithm, type) and payload (claims).
  3. Check timestamp fields for expiration and issue time in human-readable format.
  4. Note any security warnings about weak algorithms.

What you can use it for

  • Quickly inspect a JWT from an API response to verify the user ID, roles, and expiration time.
  • Debug an authentication flow by checking if the token has expired or contains the expected claims.
  • Verify the token algorithm before implementing server-side verification.

Use cases

Practical examples

example

Inspect an API access token

A frontend developer receives a JWT from an OAuth flow. They paste it into the decoder to see the user ID (sub claim), expiration time (exp), and issued-at time (iat) in readable format before the token is used for API calls.

example

Debug an expired token issue

A user reports being logged out unexpectedly. The developer decodes the JWT and sees the exp timestamp converted to local time — the token expired 5 minutes ago. They adjust the refresh token logic accordingly.

Common mistakes

  • Assuming JWT decoding means the token is verified — decoding only reads the contents, it does not validate the signature. Anyone can decode a JWT without a key.
  • Trusting JWT claims without verifying the signature in production — always verify the signature server-side before trusting claims.
  • Forgetting that JWT payload is base64url-encoded (not encrypted) — sensitive data should never be stored in JWT claims.

verification

  1. Paste the default JWT token and verify the header shows alg: HS256 and typ: JWT.
  2. Check that the payload shows name: John Doe and the timestamps are converted to readable dates.

FAQ

Questions about JWT Decoder and Claims Inspector

Does this tool verify JWT signatures?

No. This tool decodes the header and payload for inspection only. Signature verification requires the secret key or public key, which should never be entered into a browser tool. For signature verification, use a server-side library like jsonwebtoken (Node.js) or PyJWT (Python).

Are my tokens sent to a server?

No. All decoding happens in your browser using JavaScript. The token never leaves your machine. You can verify this by disconnecting from the internet after loading the page — the tool will continue to work.

What is the difference between iat, exp, and nbf?

iat (Issued At) is when the token was created. exp (Expiration) is when the token becomes invalid — after this time, the token should be rejected. nbf (Not Before) is a time before which the token must not be accepted. All are Unix timestamps in seconds.

Related tools

More html tools

Html

ARIA Live Region Generator

Generate accessible ARIA live region HTML snippets with role, aria-live, aria-atomic, and aria-relevant attributes. Includes optional JavaScript update function.

Open tool

Html

CSP Hash Generator

Generate CSP hash values for inline scripts and styles. Hash exact code content with SHA-256, SHA-384, or SHA-512 and get the matching CSP directive snippet.

Open tool

Also try

Also try

Seo

AI Crawler robots.txt Builder

Build a robots.txt policy for AI crawlers. Choose from open, selective, or strict presets and block specific AI training bots while allowing search engines.

Open tool