JWT Decoder
Paste a JWT below to decode its header, payload, and signature. Donfig's JWT decoder color-codes the three segments, parses the header and payload as JSON, and surfaces standard claims (iss, sub, aud, exp, nbf, iat, jti) with their human meanings and relative timestamps — "expired 3h ago", "issued 2 days ago", "valid for another 11 minutes". A status chip tells you if the token has expired. Toggle to Claims view for a row-per-claim breakdown. Decoding is purely client-side: nothing about your token is logged or transmitted.
JavaScript is required to use the live tool. Please enable JavaScript and reload.
Frequently asked
Does decoding verify the signature?
Decoding alone doesn't verify. Use the Verify panel below the token: paste the secret (HS256 only in browser-supported algorithms) and the chip turns green if the signature matches.
Can it decode any algorithm?
Decoding works for any algorithm because the header and payload are always Base64URL-encoded JSON. Verification is HS256-only in the browser; RS256/ES256 require the public key, which we'll add in a follow-up.
Is it safe to paste a real production token?
Decoding never leaves your browser. That said, you should treat valid production tokens as secrets and rotate them if you've shared them in any form, including pasting into web tools.