acento.io
Developer tool

JWT Decoder

Paste any JSON Web Token to instantly decode its header, payload, and claims — all client-side, so your token never leaves your browser.

By Carlos Suárez , Systems engineer
Last updated:

What this JWT decoder does

This English-language JWT decoder splits any RFC 7519-compliant token into its three Base64URL-encoded parts — header, payload, and signature — and renders them as readable JSON. Standard claims like exp, iat, iss, sub, aud, nbf, and jti are highlighted automatically, and the tool tells you at a glance whether the token has already expired. One thing this tool deliberately does not do: verify the signature. Verification requires a secret or public key, and you should never paste either into a third-party website. Because decoding is pure Base64URL parsing, it is completely safe to inspect tokens that contain PII — no data is sent anywhere. This is 100% client-side — your data never leaves your browser. No uploads, no tracking, no server logs.

Features

  • Instant Base64URL decode. Splits the token on the two dots and decodes each segment from Base64URL to JSON using the same logic as JSON.parse(atob(token.split('.')[1])) — no server round-trip needed.
  • Standard claims inspector. Highlights iss, sub, aud, exp, iat, nbf, and jti in the payload so you can spot issuer or audience mismatches without hunting through raw JSON.
  • Expiration status badge. Compares exp against the current local clock and shows a clear Expired or Not expired badge, useful when debugging stale access tokens from OAuth flows.
  • Bearer prefix auto-strip. Accepts tokens pasted directly from an Authorization header — the Bearer prefix is stripped automatically so you don't have to clean the value first.
  • Algorithm display. Shows the alg field from the header (HS256, RS256, ES256, and others) so you can quickly confirm whether the token was issued with the algorithm your service expects.
  • One-click copy. Each decoded section has its own Copy button, making it easy to grab the payload JSON and paste it into a test fixture or a ticket without reformatting.

How to use the JWT decoder

Paste your token, and the decoder splits and formats everything in real time. No button to click — results appear as you type.

  1. Copy the token. Grab the raw JWT from your browser's DevTools Network tab, from an Authorization header, or from your auth provider's dashboard. The full string including any Bearer prefix is fine.
  2. Paste into the input. Drop it into the text area. The decoder splits the token on the two period characters and Base64URL-decodes each part immediately.
  3. Read the payload. Inspect custom claims, check aud and iss against what your service expects, and confirm whether exp is in the future. In Python you can replicate this offline with jwt.decode(token, options={'verify_signature': False}).
  4. Check expiration. The status badge tells you instantly if the token has passed its exp timestamp — a common cause of 401 errors in OAuth and OpenID Connect flows.
  5. Copy individual sections. Use the Copy button next to Header, Payload, or Signature to extract exactly the JSON you need for a test case or a bug report.

Common use cases

  • Debugging expired-token errors. When a service in New York returns a 401, paste the bearer token here to confirm whether exp has already passed before digging into logs. Saves minutes of guesswork.
  • Inspecting issuer and audience mismatches. Multi-tenant SaaS applications often issue tokens scoped to a specific aud. Decode the access token to verify that iss and aud match what your middleware is configured to accept.
  • Reading provider-specific custom claims. Auth0, Okta, Cognito, and similar platforms embed custom claims (roles, permissions, org IDs) in the payload. Decode the token to see exactly what claims are present before writing claim-mapping code.
  • Pre-flight checks before integration tests. Validate token structure and algorithm before a test suite runs. Catching a misconfigured alg field at this stage — rather than inside a test assertion — cuts debugging time considerably.
  • Security audits and code review. During a code review, quickly confirm that a sample token uses RS256 or ES256 rather than the weaker HS256, and that no sensitive fields are being embedded in the payload without encryption.

Frequently asked questions

Is it safe to decode a token that contains personal data?

Yes — because this tool is 100% client-side. Decoding happens entirely in your browser using JavaScript's built-in Base64 parser. No data is transmitted to any server, logged, or stored. You can safely inspect tokens that include email addresses, user IDs, or other PII.

What is the difference between decoding and verifying a JWT?

Decoding is just Base64URL parsing — anyone can do it without a key, which is by design. JWT payloads are not encrypted (that is JWE, a separate standard). Verification is a separate cryptographic step that confirms the signature was produced by the expected key. Never treat decoded claims as trusted for authorization decisions unless the signature has been verified by your backend or library.

Why does my token show 'Expired' even though it should still be valid?

The expiration check compares the exp claim against your local system clock. If your computer's time is skewed — even by a few minutes — the badge may show Expired for a token that your server, running on synchronized NTP time in America/Toronto or another zone, still considers valid. Check your system clock first. Libraries typically allow a small leeway (e.g., 60 seconds) for exactly this reason.

What is the alg=none vulnerability I keep reading about?

RFC 7519 (standardized in 2015) technically permits alg: none, meaning no signature. Some early JWT libraries accepted this value and skipped verification entirely, allowing an attacker to forge any payload. Never configure your server to accept alg: none. This decoder displays the algorithm field so you can immediately spot a token that carries this footgun.

Can I decode an encrypted JWT (JWE)?

No — and neither can any other client-side tool without the private key. JWE tokens are actually encrypted, not just Base64-encoded. The output would be ciphertext, not readable JSON. You need the decryption key, which should never leave your secure infrastructure. If you paste a JWE here, the decoder will show an error or raw bytes in the payload field.

What does 'parse JWT' or 'jwt parser' mean compared to decode?

They mean the same thing in everyday usage. Parsing a JWT typically refers to splitting the three dot-separated segments and deserializing the JSON from each Base64URL part — identical to what this decoder does. Some libraries use 'parse' in their API names (e.g., jwt.decode) while others say 'decode', but the underlying operation is the same client-side transformation.