Decoded Header
Free JWT token inspector — decode, verify signatures, check expiration & debug claims
Auto-detects JWT format, strips Bearer prefixes, decodes header and payload with syntax-highlighted JSON output. Handles malformed tokens gracefully.
Verify HMAC signatures (HS256, HS384, HS512) with your secret key. Compares computed vs. expected signature using constant-time comparison.
Decodes time-based claims (exp, nbf, iat) into human-readable dates. Calculates token age, time until expiration, and identifies expired tokens.
Detects common security issues: none algorithm, weak or empty secrets, expired tokens, and missing critical claims.
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Identifies the principal that issued the JWT. The claim value is a case-sensitive string. |
sub | Subject | Identifies the principal that is the subject of the JWT. Must be unique within the issuer scope. |
aud | Audience | Identifies the recipients the JWT is intended for. Each principal must identify itself with a value in the audience claim. |
exp | Expiration Time | Identifies the expiration time after which the JWT MUST NOT be accepted. NumericDate (seconds since epoch). |
nbf | Not Before | Identifies the time before which the JWT MUST NOT be accepted. NumericDate (seconds since epoch). |
iat | Issued At | Identifies the time at which the JWT was issued. Used to determine token age. NumericDate (seconds since epoch). |
jti | JWT ID | Unique identifier for the JWT. Used to prevent replay attacks. Must be assigned in a manner that ensures a low probability of collision. |
name | Full Name | Full name of the user. Common in OIDC but not part of the JWT spec. |
email | Email address of the user. Common in OIDC but not part of the JWT spec. | |
role | Role | Application-specific claim for authorization. Not standardized. |
scope | Scope | Space-separated list of OAuth 2.0 scope values. Indicates what access the token grants. |
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three Base64Url-encoded parts — Header, Payload, and Signature — separated by dots. JWTs are commonly used for authentication and authorization in web applications.
To verify a JWT signature, you need the secret key (for HMAC algorithms like HS256/HS384/HS512) or the public key (for RSA/ECDSA algorithms). Paste the token and secret into the Signature tab above, select the matching algorithm, and the debugger will compute the expected signature and compare it to the token's signature.
Yes. All decoding and verification happens entirely in your browser using client-side JavaScript. Your token is never sent to any server. However, you should never share tokens containing sensitive data with untrusted parties or on public networks.