100% Client-Side ยท No Secret Needed

JWTDecoder

Paste any JSON Web Token โ€” instantly decode the header, payload and every claim with plain-English explanations, expiry countdown, security checks, and algorithm ratings.

Decoding happens entirely in your browser using native atob(). Your token is never sent to any server. The signature is not verified โ€” no secret needed.
Samples:
Paste JWT Token
Paste a JWT above to decode it
Or load a sample token to explore the decoder

Registered Claim Reference

Every RFC 7519 standard claim, explained

Claim
Full Name
Description
RFC
iss
Issuer
Who created and signed this token. Usually a URL like https://auth.example.com.
RFC 7519 ยง4.1.1
sub
Subject
Who this token is about โ€” typically a user ID or principal identifier.
RFC 7519 ยง4.1.2
aud
Audience
Who this token is intended for. Your app should verify it matches its own identifier.
RFC 7519 ยง4.1.3
exp
Expiration Time
Unix timestamp after which this token must be rejected.
RFC 7519 ยง4.1.4
nbf
Not Before
Unix timestamp before which this token must be rejected. Token is invalid before this time.
RFC 7519 ยง4.1.5
iat
Issued At
Unix timestamp of when the token was issued. Useful for determining token age.
RFC 7519 ยง4.1.6
jti
JWT ID
Unique identifier for this token. Prevents replay attacks when stored server-side.
RFC 7519 ยง4.1.7
scope
Scope
Space-separated list of OAuth 2.0 scopes this token grants access to.
โ€”
alg
Algorithm
Cryptographic algorithm used to sign the token.
โ€”
typ
Type
Type of token โ€” should be "JWT".
โ€”
kid
Key ID
Hint about which key was used to sign the token. Used to look up the correct key from a JWKS endpoint.
โ€”
Decoding uses native browser atob() โ€” no libraries, no server.
Your token never leaves your device. Signature is not verified without a secret.