JWT Decoder

Decode compact JWTs, inspect claims and headers, flag common authentication risks, verify supported signatures locally, and copy review-ready outputs without sending tokens to a server.

Token Input

Claim Reference

iss

Issuer that created the token.

sub

Subject represented by the token.

aud

Audience expected to receive the token.

exp

Expiration time after which the token should be rejected.

nbf

Not-before time before which the token should be rejected.

iat

Issued-at time when the token was created.

jti

Unique token identifier.

scope

OAuth scopes granted by the token.

scp

OAuth scopes granted by the token.

roles

Application roles or authorization groups.

role

Application role or authorization group.

admin

Custom administrative privilege flag.

JWT workbench ready
Tokens and keys stay in the browser. Share links omit verification secrets.

JWT Notes

  • Decoding: Base64URL decoding only proves token structure, not trust.
  • Verification: HS algorithms use a shared secret; RS, PS, and ES algorithms use public key or JWKS material.
  • Secrets: Verification keys and HMAC secrets stay local and are omitted from share URLs and history.
  • Claims: exp, iat, and nbf are interpreted by their actual semantics instead of one generic timestamp label.
  • Headers: kid, jku, x5u, x5c, crit, and alg values are highlighted for review.
  • Cracking: Hashcat mode 16500 applies to JWT HS256/HS384/HS512 secrets.