JWT Decoder

A JWT is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a Header (algorithm and type), a Payload (claims like user ID, expiration), and a Signature (cryptographic verification). JWTs are widely used in OAuth 2.0, OpenID Connect, and API authentication.

No. This tool decodes and inspects the token contents (Header and Payload) without verifying the signature. Signature verification requires the secret key or public key, which should never be shared in a browser tool. Use this tool for debugging and inspection only — never trust a JWT based on decoded contents alone.

The token is decoded in your browser for inspection, and Coda One does not upload it during decoding. You should still avoid pasting production secrets into any browser session unless your own security policy allows it.

Standard claims include: "iss" (issuer — who created the token), "sub" (subject — who the token is about), "aud" (audience — intended recipient), "exp" (expiration time), "nbf" (not before — token is invalid before this time), "iat" (issued at — when it was created), and "jti" (JWT ID — unique identifier for the token). All time claims are Unix timestamps.

Common reasons: the token is not a valid JWT (must have exactly 3 dot-separated parts), Base64URL encoding is corrupted (e.g., extra whitespace or missing characters), or the Header/Payload is not valid JSON. Check that you copied the full token without truncation or extra spaces.

The JWT is split into three color-coded parts: the Header (rose/red) contains metadata like algorithm and token type; the Payload (purple) contains the claims — the actual data; and the Signature (blue) is a cryptographic hash used to verify the token has not been tampered with.

Yes. The interface is fully responsive. You can paste a JWT from your clipboard, tap Decode, and inspect all three parts on any phone or tablet.

jwt.io also decodes JWTs in the browser. This tool adds automatic expiration checking, validation warnings (weak algorithms, missing claims, long lifetimes), claim explanations, and a compact/formatted toggle — all without sending data to a server.

Yes. OAuth access tokens and OIDC ID tokens are typically JWTs. Paste them here to inspect scopes, audience, issuer, expiration, and other claims. This is useful for debugging API authentication issues or verifying token contents during development.

A JWT with alg: "none" has no cryptographic signature, meaning anyone can forge the token by modifying the payload. This is a known security vulnerability. Legitimate JWTs should always use a signing algorithm like HS256, RS256, or ES256.

Yes. You can decode a JWT with: echo "TOKEN" | cut -d. -f2 | base64 -d | jq . — but this requires jq and does not handle URL-safe Base64 padding. This tool does all of that automatically plus expiration checks and warnings.

The <a href="/base64-encode-decode">Base64 Encoder</a> helps with token-related encoding. The <a href="/json-formatter">JSON Formatter</a> is useful for inspecting API responses. The <a href="/hash-generator">Hash Generator</a> can verify HMAC signatures when you have the secret key.