JWT Decoder
Decode and inspect JSON Web Tokens right in your browser: devnestio.pages.dev/jwt-decoder/
No server, no tracking — everything runs locally.
Features
- Color-coded token visual — header (blue), payload (purple), signature (orange)
- Expiry banner — shows valid/expired status with time remaining or time since expiry
- Claims table — all payload claims with descriptions for standard RFC 7519 claims
- Syntax-highlighted JSON — color-coded keys, strings, numbers, booleans
- Copy buttons — copy header, payload, or the full token
- RFC 7519 quick reference — standard claim descriptions inline
- Pre-loaded with an example JWT
How JWT Decoding Works
A JWT has three base64url-encoded parts separated by dots:
header.payload.signature
Decoding the header and payload is straightforward — just reverse the base64url encoding:
function b64urlDecode(str) {
let s = str.replace(/-/g, '+').replace(/_/g, '/');
while (s.length % 4) s += '=';
return atob(s);
}
function parseJWT(token) {
const parts = token.trim().split('.');
if (parts.length !== 3) throw new Error('Expected 3 parts');
const header = JSON.parse(b64urlDecode(parts[0]));
const payload = JSON.parse(b64urlDecode(parts[1]));
return { header, payload, signature: parts[2] };
}
The signature part is not verified — that requires the secret key and happens server-side. This tool decodes and displays the claims only.
Expiry Check
const now = Math.floor(Date.now() / 1000);
if (payload.exp !== undefined) {
const expired = now > payload.exp;
// show banner accordingly
}
Standard JWT Claims (RFC 7519)
| Claim | Meaning |
|---|---|
iss |
Issuer |
sub |
Subject |
aud |
Audience |
exp |
Expiration Time |
nbf |
Not Before |
iat |
Issued At |
jti |
JWT ID |
Try It
devnestio.pages.dev/jwt-decoder/
Part of the DevNestio developer tools collection.
Top comments (0)