handyman
Hazuu Tools

JWT Decoder

Decode JSON Web Tokens instantly. View header, payload, and signature with syntax highlighting, expiration checks, and claims analysis — all in your browser.

JWT Token
token

Paste a JWT token above and click Decode

or click Sample to try with an example token
info

About JWT Decoder

A JSON Web Token (JWT) is a compact, URL-safe string made of three Base64url-encoded segments separated by dots: a JOSE header that declares the signing algorithm (for example HS256 or RS256), a claims payload that carries the actual data (user ID, roles, expiry, issuer, and any custom fields), and a cryptographic signature that proves the token has not been tampered with. JWTs are the dominant credential format in modern REST APIs, OAuth 2.0 / OpenID Connect flows, and single sign-on systems because a server can validate them without a database round-trip.

This JWT Decoder lets you inspect the full contents of any token in seconds. Paste a raw JWT and click Decode: the tool splits the three segments, Base64url-decodes the header and payload into syntax-highlighted JSON, converts every Unix timestamp (iat, exp, nbf) into a human-readable date in your local timezone, explains each standard registered claim (iss, sub, aud, exp, nbf, iat, jti) inline, and shows a live expiration status banner that tells you exactly how much time is left — or how long ago the token expired. The raw Base64url signature is displayed alongside the algorithm label from the header.

Everything runs entirely inside your browser. Your token is never sent over the network, never logged, and never stored — which matters especially when you are debugging tokens that carry real user IDs, session data, or access scopes. There is no account required, no file size limit, and no cost. If you need to compare a token against its original claims set, or simply want to understand what an authorization server is issuing, this tool gives you the complete picture without exposing your credentials to a third-party server.

star

Key Features

check_circle

Three-panel decoded view

Header, payload, and signature are separated into clearly labelled panels with distinct colour coding so you can find any field at a glance.

check_circle

Live expiration countdown

A status banner reads the exp claim and tells you exactly how long until the token expires, or how long ago it expired — updated to the minute.

check_circle

Human-readable timestamps

Unix epoch values for iat, exp, and nbf are automatically converted to your local date and time, eliminating the need for a separate epoch converter.

check_circle

Inline standard-claims guide

Registered claims such as iss, sub, aud, and jti are annotated with plain-English descriptions drawn directly from the RFC 7519 specification.

check_circle

Syntax-highlighted JSON

Keys, strings, numbers, booleans, and null values are colour-coded in the output so nested claim structures are easy to read without formatting manually.

check_circle

Fully client-side and private

Decoding happens in your browser with no network requests. Tokens containing real user data, session secrets, or access scopes never leave your machine.

help

How to Use

01

Paste Your Token

Copy a JWT from your application, API response, or authorization header and paste it into the input field.

02

Click Decode

Hit the "Decode" button to split and Base64url-decode the token into its header, payload, and signature components.

03

Review Results

Inspect the decoded JSON with syntax highlighting, check expiration status, and review standard claims with their descriptions.

code_blocks

Example

A real HS256 token is split into its three segments. The header reveals the algorithm, the payload exposes all claims with timestamps decoded to readable dates, and the raw signature is shown with a note that validation requires the issuer key.

Raw JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE5MTYyMzkwMjIsImlzcyI6Imhhenl1LnRvb2xzIiwiYXVkIjoiaHR0cHM6Ly9oYXp1dS50b29scyIsImp0aSI6ImFiYzEyMyJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decoded header + payload
HEADER
{
  "alg": "HS256",
  "typ": "JWT"
}

PAYLOAD
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,   → Mon, Jan 18 2018 02:30:22 (Issued At)
  "exp": 1916239022,   → Tue, Jan 18 2031 02:30:22 (Expires At)
  "iss": "hazuu.tools",
  "aud": "https://hazuu.tools",
  "jti": "abc123"
}

SIGNATURE  (Base64url — HS256)
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
lightbulb

Common Use Cases

  • arrow_circle_right

    Debugging authentication failures

    When an API returns 401 Unauthorized, paste the bearer token to check whether the exp claim has passed, whether the aud matches the expected audience, or whether the sub is correct — without touching the server.

  • arrow_circle_right

    Auditing third-party tokens in OAuth flows

    Inspect ID tokens and access tokens returned by identity providers such as Auth0, Cognito, or Google to confirm the scopes, roles, and issuer before wiring them into your application logic.

  • arrow_circle_right

    Understanding token structure during development

    When building a new API that issues JWTs, verify that your signing library encodes the algorithm, expiry, and custom claims exactly as specified — catching mismatches before they reach production.

  • arrow_circle_right

    Reading timestamp claims without a converter

    The iat and exp fields are Unix epoch integers. This decoder converts them to your local date and time inline, so you can confirm token lifetimes without a separate epoch tool — unlike the sibling JSON Formatter, which only pretty-prints raw JSON.

  • arrow_circle_right

    Security reviews and penetration testing

    During a code review or pentest, quickly inspect tokens captured from HTTP traffic to check for missing expiry claims, overly broad audience values, or use of weak algorithms like none or HS256 on public endpoints.

quiz

Frequently Asked Questions

What is a JWT Decoder? expand_more
A JWT Decoder is a tool that splits a JSON Web Token into its three components (header, payload, and signature), decodes the Base64url-encoded header and payload into readable JSON, and displays the results. It helps developers inspect token contents, verify claims, and debug authentication issues without needing the signing secret.
Is it safe to decode JWTs in the browser? expand_more
Yes. Decoding a JWT only reveals its contents — it does not validate or forge the signature. This tool processes everything locally in your browser using JavaScript. No data is sent to any server. However, you should never share tokens containing sensitive data in untrusted environments.
Can this tool verify the JWT signature? expand_more
This tool decodes and displays the signature but does not verify it cryptographically. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA) used by the token issuer, which is not available to a client-side decoder.
What do the standard JWT claims mean? expand_more
Standard claims are registered in the IANA JSON Web Token Claims registry. Common ones include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). Each serves a specific role in token validation and authorization logic.
How is this different from the JSON Formatter tool? expand_more
The JSON Formatter pretty-prints any JSON text. This JWT Decoder is specifically designed for the three-segment JWT format: it Base64url-decodes the header and payload automatically, converts Unix timestamp claims to human-readable dates, annotates standard registered claims with their RFC 7519 definitions, and shows a live expiration status banner. Pasting a raw JWT into the JSON Formatter would show only the encoded string, not the underlying claims.
Why does the exp claim show as an integer instead of a date? expand_more
JWTs store time values as Unix epoch seconds (a plain integer) per RFC 7519. This decoder automatically converts any iat, exp, and nbf values to your local date and time in the Timestamps panel below the payload JSON, so you never need to convert them manually.
What JWT algorithms does the decoder support? expand_more
The decoder reads any well-formed JWT regardless of algorithm because decoding only requires Base64url-decoding the header and payload — no cryptographic operation is needed. Tokens signed with HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, and PS variants will all decode correctly. The algorithm name is shown in the signature panel header taken directly from the alg claim.
What happens if I paste a malformed token? expand_more
The tool checks that the token has exactly three dot-separated segments. If the count is wrong, or if the Base64url encoding of the header or payload cannot be parsed as JSON, an error message is shown explaining which part failed. Partial tokens and tokens with extra whitespace are handled gracefully.