Security Tools

JWT Token Decoder & Analyzer

Decode and analyze JSON Web Tokens (JWTs) to understand their structure, claims, and expiration. Educational tool for JWT debugging and analysis.

intermediate2-3 minutesRuns in your browser
JWTToken DecoderAuthenticationAuthorization

Interactive workspace

Inputs stay on your device — nothing is sent to our servers unless you choose to share.

Client-side only

Quick Examples (Click to Use)

HS256 Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Token with Expiration

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjk5OTk5OTk5OTl9.4Adcj3UFYzPUVaVF43FmMab6RlaQD8A9V8wFzzht-KQ

RS256 Token (Example)

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huQGV4YW1wbGUuY29tIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.EXAMPLE_SIGNATURE_FOR_RS256_TOKEN

ES256 Token (Example)

eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYXVkIjoiYXBpLmV4YW1wbGUuY29tIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.EXAMPLE_SIGNATURE_FOR_ES256_TOKEN

Expired Token

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZXhwIjoxNTE2MjM5MDIyfQ.EXPIRED_TOKEN_SIGNATURE

Token with All Claims

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJpc3MiOiJodHRwczovL2V4YW1wbGUuY29tIiwic3ViIjoiMTIzNDU2Nzg5MCIsImF1ZCI6ImFwaS5leGFtcGxlLmNvbSIsImV4cCI6OTk5OTk5OTk5OSwiaWF0IjoxNTE2MjM5MDIyLCJuYmYiOjE1MTYyMzkwMjIsImp0aSI6ImFiYzEyMyIsInJvbGUiOiJhZG1pbiIsInBlcm1pc3Npb25zIjpbInJlYWQiLCJ3cml0ZSJdfQ.TOKEN_WITH_ALL_CLAIMS_SIGNATURE

Token with Sensitive Data (Warning)

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwicGFzc3dvcmQiOiJzZWNyZXQxMjMiLCJhcGlfa2V5IjoiYWJjZGVmZ2giLCJpYXQiOjE1MTYyMzkwMjJ9.TOKEN_WITH_SENSITIVE_DATA

Token with None Algorithm (Critical)

eyJhbGciOiJub25lIiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.

Token Missing Expiration

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.TOKEN_WITHOUT_EXPIRATION

Results History

No history yet. Decode some tokens to see your history here.

Security Notice

  • • This tool only decodes JWT tokens, it does not verify signatures
  • • Never share sensitive JWT tokens with untrusted parties
  • • JWT tokens may contain sensitive information in the payload
  • • This tool is for educational and debugging purposes only
  • • Always use HTTPS when transmitting JWT tokens

About JWT Tokens

JSON Web Tokens (JWTs) are compact, URL-safe means of representing claims to be transferred between two parties. They consist of three parts: header (algorithm and token type), payload (claims), and signature (for verification). JWTs are commonly used for authentication and authorization in web applications and APIs.

Documentation

How to use this tool, practical use cases, and technical notes.

The JWT Token Decoder & Analyzer is designed for speed — decoding a token takes under 30 seconds from paste to result. Here is a complete walkthrough of every feature and how to get the most out of the tool.


Step 1 — Obtain a JWT to Analyze

JWTs appear in many places during development and testing. Common sources:

Where to Find JWTs

How to Extract

Browser DevTools → Application → Cookies

Copy the token value from the cookie named access_token, jwt, auth, or similar

Browser DevTools → Application → Local Storage

Look for token, accessToken, id_token keys

Browser DevTools → Network → Request Headers

Filter by XHR/Fetch; look for Authorization: Bearer <token> in request headers

Browser DevTools → Network → Response Body

Look in /login, /auth/token, or /oauth/token responses

Postman / Insomnia

Copy from the Authorization tab or response body

Mobile app proxy (Burp Suite / mitmproxy)

Intercept traffic and copy from Authorization header

curl response in terminal

Parse with jq or copy the raw token value

JWT issued by your auth server during testing

Copy from your test client output


Step 2 — Use the Auto-Detect from Clipboard Feature

Click "Auto-detect from Clipboard" to automatically paste and detect a JWT from your clipboard without manually using Ctrl+V. This is particularly handy during rapid testing sessions where you're copying tokens from multiple browser tabs or terminal windows.

The tool validates that the pasted string matches the JWT three-part dot-separated structure before attempting to decode. If the input is not recognized as a valid JWT format, it will display a format error rather than attempting a decode.


Step 3 — Choose Your Mode

The toolbar provides five operational tabs. Select the appropriate mode for your task:

Tab

When to Use It

Decode

Default — use for inspecting any JWT you encounter

Encode

When building a custom token for testing or demonstration

Verify

When you want a focused validity/expiry check

Compare

When analyzing token differences (e.g., before and after privilege escalation, or across environments)

Extract

When you need just one or two specific fields from a token quickly


Step 4 — Decode the Token

Paste your JWT into the input field and click "Decode JWT". The tool will display:

Header Section

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload Section

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 9999999999
}

Signature Section

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
[Signature present — verify with secret key to confirm integrity]

Step 5 — Interpret the Results

Reading Standard Claims

The JWT specification (RFC 7519) defines seven registered claims — standardized fields with specific meanings:

Claim

Full Name

Data Type

Description

What to Check

iss

Issuer

String (URI)

Who issued the token

Should match your trusted auth server

sub

Subject

String

Who the token is about (user ID)

Should be the authenticated user's unique identifier

aud

Audience

String or Array

Who the token is intended for

Should match your API/service identifier

exp

Expiration Time

Unix timestamp

When the token expires

Must be in the future; tool flags expired tokens

iat

Issued At

Unix timestamp

When the token was created

Useful for calculating token age

nbf

Not Before

Unix timestamp

Token not valid before this time

Should be ≤ current time

jti

JWT ID

String

Unique identifier for the token

Used to prevent token replay attacks

Reading the Token Status Indicator

Status

Meaning

Action

Valid

Correct format; exp is in the future (or absent)

Token is usable

⚠️ Expired

exp claim is in the past

Re-authenticate to obtain a new token

Invalid

Malformed structure or unparseable JSON in header/payload

Token is corrupted or truncated

🔴 Security Warning

Dangerous algorithm or sensitive data detected

Review security notes; do not use in production


Step 6 — Use the Built-In Quick Examples

The tool ships with 8 pre-loaded example tokens that demonstrate the full range of JWT scenarios. Click any example to instantly load it into the decoder:

Example

Algorithm

What It Demonstrates

HS256 Token

HS256

Standard symmetric signing; basic claims

Token with Expiration

HS256

Non-expired token; exp claim in the far future

RS256 Token (Example)

RS256

Asymmetric signing header structure

ES256 Token (Example)

ES256

Elliptic curve signing; aud claim present

Expired Token

HS256

exp claim in the past; triggers expired warning

Token with All Claims

HS256

Full RFC 7519 claim set including iss, aud, nbf, jti, roles, and permissions

Token with Sensitive Data (Warning)

HS256

Password and API key embedded in payload — demonstrates what NOT to do

Token with None Algorithm (Critical)

none

Critical vulnerability example: unsigned token


Step 7 — Compare Two Tokens

Use the Compare tab to paste two JWTs side by side. This is invaluable in scenarios like:

  • Comparing a regular user token vs. an admin token to understand privilege differences

  • Checking what changed between a token issued before and after a permission change

  • Identifying environment-specific differences (staging vs. production token claims)

  • Bug reports where two users have different access — compare their tokens to find claim discrepancies


Step 8 — Copy Results

Use the copy buttons within each section (Header, Payload, Signature, or full decoded output) to extract the information you need for:

  • Pasting into a bug report or security finding

  • Documenting a token structure in a penetration test report

  • Sharing with a colleague for debugging

  • Saving to a ticket or wiki page


Step 9 — Review History

The Results History panel at the bottom of the workspace tracks all tokens decoded during your session. This is useful when iterating through multiple tokens during a debugging session or security assessment — you can revisit a previous decode without re-pasting.

Note: History is session-only. It clears when you close or refresh the tab.