DevFlow logoDevFlow
ToolsPipelinesExploreDocsPricing
⌘F
DashboardPipeline BuilderAnalytics

Try Pro — Free 7 days

No credit card required

JWT Decoder Online — Free JWT Token Decoder, Inspector & Validator

How to JWT Decoder Online

  1. 1

    Paste your JWT token into the input area on the left, or use one of the example tokens from the dropdown.

  2. 2

    The token is automatically decoded — view the header, payload, and signature sections on the right.

  3. 3

    Check the expiration status badge to see if the token is valid, expired, or not-yet-valid.

  4. 4

    To verify an HMAC signature, enter your secret key in the signature panel and click Verify.

  5. 5

    Review the security analysis panel for any warnings about the token's algorithm or claims.

  6. 6

    Copy the decoded header or payload with ⌘⇧C, or share the token via a compressed URL.

JWT Decoder Features

  • ✓

    Decode JWT tokens: instantly view header, payload, and signature in a clean three-panel layout.

  • ✓

    Registered claims viewer: see human-readable explanations for iss, sub, aud, exp, nbf, iat, jti.

  • ✓

    Expiration tracking: live countdown shows time until expiry, with color-coded status badges.

  • ✓

    HMAC signature verification: verify HS256, HS384, HS512 signatures with your secret key.

  • ✓

    Security analysis: detects alg:none vulnerability, expired tokens, missing claims, and weak algorithms.

  • ✓

    OAuth 2.0 support: parses scope, roles, and other OAuth-specific claims.

  • ✓

    OpenID Connect support: displays nonce, at_hash, auth_time, acr, amr claims.

  • ✓

    Token structure visualizer: color-coded bar showing header/payload/signature proportions.

  • ✓

    Clock tolerance: configurable tolerance in seconds for exp and nbf validation.

  • ✓

    Auto-decode: automatically decodes JWT when pasting a valid token.

  • ✓

    Shareable URLs: gzip-compresses your token into a URL for easy sharing.

  • ✓

    Works entirely in your browser — no token data is ever sent to a server.

Frequently Asked Questions

What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts: header, payload, and signature, separated by dots. JWTs are commonly used for authentication and authorization in modern web applications.
Is this JWT decoder free?
Yes, DevFlow JWT Decoder is completely free with no usage limits. All decoding and verification runs directly in your browser.
Is my token data safe?
All processing happens entirely in your browser using JavaScript. No token data is ever transmitted to a server or stored anywhere outside your browser. Your tokens stay completely private on your machine.
What JWT algorithms are supported?
The decoder supports all common algorithms: HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), ES256, ES384, ES512 (ECDSA), and PS256, PS384, PS512 (RSA-PSS). For signature verification, only HMAC (HS256/384/512) is supported in browser mode.
Can I verify RSA or EC signatures?
RSA and EC signature verification requires a public key, which is not supported in client-side-only mode. You can still inspect the header to see the algorithm used, but signature verification is limited to HMAC tokens.
What are registered claims?
Registered claims are a set of predefined claims defined in the JWT specification: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These provide standardized metadata about the token.
What does the exp claim mean?
The exp (expiration time) claim identifies when the token expires. After this time, the token should not be accepted for processing. The decoder shows both the absolute expiration time and a countdown timer.
How does signature verification work?
For HMAC tokens (HS256/384/512), enter your secret key in the signature panel and click Verify. The tool uses the Web Crypto API to compute the signature and compare it with the one in the token.
Can I decode expired tokens?
Yes. The decoder shows expired tokens with a clear warning badge but still displays all the decoded content. This is useful for debugging why a token expired.
Does it work offline?
Yes. All decoding logic is bundled with the page as pure JavaScript. Once the page has loaded, the JWT Decoder works without an internet connection.
What is the alg:none vulnerability?
Some JWT implementations accept tokens with alg set to none, meaning they have no signature. Attackers can forge tokens by setting alg:none. The decoder shows a prominent security warning when this is detected.
What is the difference between JWS and JWE?
JWS (JSON Web Signature) is a JWT with a digital signature. JWE (JSON Web Encryption) is an encrypted JWT. This tool decodes JWS tokens. JWE tokens have 5 segments instead of 3 and are not supported for decoding.

Related Developer Tools

  • Base64 Encode/DecodeEncode and decode Base64 strings, files, and data URIs instantly.
  • JSON FormatterPrettify, minify, and validate JSON data instantly.
  • Hash GeneratorGenerate and verify cryptographic hashes with multiple algorithms.
  • Password GeneratorGenerate secure passwords, passphrases, and PINs with strength analysis.
  • URL Encoder/DecoderEncode, decode, and parse URLs and query strings instantly.