JWT token decoder
🔒 browser-only
header
algorithm + type
waiting for token…
payload
claims
waiting for token…
signature
not verified
waiting for token…
token status
waiting for token…

JWT Token Decoder

jwtchop decodes any JSON Web Token (JWT) entirely in your browser. Paste your token above and instantly see the decoded header, all payload claims, the raw signature, and the token's expiry status — with no data leaving your device. There are no server requests, no logs, and no tracking of the tokens you paste.

A JWT is made of three base64url-encoded parts joined by dots: HEADER.PAYLOAD.SIGNATURE. The header identifies the signing algorithm. The payload carries claims — structured facts about the subject. The signature proves the token hasn't been tampered with (but verifying it requires the secret, which you should never paste anywhere).

Standard JWT Claims

subSubject — who the token is about
issIssuer — who issued the token
audAudience — who the token is for
expExpiration — Unix timestamp when the token expires
iatIssued At — Unix timestamp when the token was created
nbfNot Before — token is invalid before this time
jtiJWT ID — unique identifier for this token

Why browser-side?

Most JWT decoders send your token to a server. That's a security risk — JWTs often contain user IDs, roles, email addresses, session identifiers, and other sensitive claims. Even if the server doesn't store them, the token travels over a network you don't control. jwtchop does all decoding locally using the browser's built-in JavaScript engine. Your tokens stay on your machine.

How to use jwtchop

Paste your JWT into the input field above. The decoder updates instantly as you type. The header panel shows the algorithm (HS256, RS256, etc.) and token type. The payload panel shows all claims with standard claim names labeled in plain English. The signature panel shows the raw signature bytes. The token status panel shows whether the token is currently valid, expired, or not yet active based on the exp, iat, and nbf claims.

FAQ

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. It's used to securely transmit claims between parties — most commonly for authentication (proving who you are) and authorization (proving what you're allowed to do). JWTs are issued by an auth server after login and sent with subsequent requests to prove identity.

Is it safe to paste my JWT here?

Yes. jwtchop runs entirely in your browser — there are no server requests, no analytics on token content, and no logging. You can verify this by opening DevTools and watching the Network tab: no requests are made when you paste a token. That said, don't paste production tokens containing real credentials into any browser tool if you can avoid it. Use a test token or a token from a staging environment when possible.

Can jwtchop verify the signature?

No — and that's intentional. Verifying a JWT signature requires the secret signing key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). You should never paste your secret key into any browser tool. jwtchop shows you the raw signature and the algorithm used, so you can verify in your own environment using your keys.

What algorithms does jwtchop support?

jwtchop decodes any JWT regardless of algorithm — HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384, PS512, and none (unsecured JWTs). Since decoding only reads the base64url-encoded header and payload, no algorithm-specific processing is needed.

Why is my token showing as expired?

The exp claim in the payload contains a Unix timestamp (seconds since Jan 1, 1970). If that timestamp is in the past relative to your current local time, the token is expired. This is expected for tokens you've retrieved from logs or old sessions. Request a fresh token from your auth provider.

What's the difference between iat and nbf?

iat (Issued At) is when the token was created. nbf (Not Before) is when the token becomes valid — useful for tokens that are created in advance but shouldn't be used yet. A token can have both: issued now, valid in 5 minutes, expires in 1 hour.