ruxox
Start
Start
Auth / JWT

JWT Decoder

Decode and inspect JWT header and payload in your browser. No signature verification — paste tokens from logs safely. Runs entirely client-side.

JWT Decoder

Runs entirely in your browser — no server calls, no tracking.

Paste a JWT and click Decode.

🔒 Your data never leaves this tab. This tool has no backend.

About this tool

About the JWT Decoder

A JWT (JSON Web Token) is a compact, URL-safe token format used for authentication and information exchange between services. A JWT has three Base64url-encoded parts separated by dots: the header (algorithm and token type), the payload (claims — user ID, roles, expiry), and the signature. This tool decodes the header and payload, shows expiry status, and clearly notes that the signature is not verified — because signature verification requires the secret key.

What the claims mean

sub — subject (usually the user ID). iat — issued at (Unix timestamp). exp — expiry (Unix timestamp). aud — audience (the intended recipient service). iss — issuer (the authentication server). jti — JWT ID (unique identifier for this token, used for revocation). These are standard claims; applications add custom claims alongside them (roles, permissions, org IDs).

Using this tool safely

This tool runs entirely in your browser — pasting a JWT here does not expose it to any third party. That said, production JWTs from live systems contain real user identifiers and session data. If you are debugging a production system, prefer to copy the JWT into a local tool or this browser-only decoder rather than a server-side service. Treat long-lived JWTs (weeks or months of expiry) as secrets.

Remember: decoding a JWT does not mean trusting it. Any client can craft a JWT payload with any claims — only the signature, verified with the correct key, proves the token is authentic. Always verify signatures on the server before trusting JWT claims.

FAQ

Frequently asked questions

What is the difference between HS256 and RS256 JWTs?
HS256 uses a symmetric HMAC-SHA256 signature — the same secret is used to sign and verify. Both the issuer and the verifier share the secret. RS256 uses an asymmetric RSA-SHA256 signature — the issuer signs with a private key; verifiers check with the public key. RS256 is better for multi-service architectures where you want services to verify tokens without sharing a secret.
Can I use this decoder to verify a JWT signature?
No — signature verification requires the secret key (HS256) or the public key (RS256/ES256), which are never in the browser. This tool decodes the header and payload only, which are just Base64url-encoded JSON — readable without any key. To verify a signature, use your backend language's JWT library (e.g. jsonwebtoken in Node, PyJWT in Python).
Why does my JWT payload show user data in plain text?
JWT payloads are encoded, not encrypted. Base64url encoding is trivially reversible — it is not a security measure. Anyone who intercepts a JWT can read the payload. If you need to include sensitive data in a token that should not be readable by the client, use JWE (JSON Web Encryption). Standard JWTs (JWS) sign the payload for integrity, not confidentiality.
What is a refresh token and how does it relate to a JWT?
An access token (usually a short-lived JWT) is used to authenticate API requests. A refresh token is a long-lived credential (often an opaque random string, not a JWT) stored securely that can be exchanged for a new access token when the current one expires. The pattern avoids long-lived JWTs while keeping users logged in. The refresh token itself is validated server-side against a token store.
Custom software

Need JWT authentication built for your app?

ruxox builds auth systems, API security, and access control for production web apps. Free estimate in 48 hours.