JWT Decoder & Inspector

What is a JWT Decoder?

A JWT Decoder online is a developer tool designed to unpack and inspect JSON Web Tokens. JWTs are an open, industry-standard (RFC 7519) method for representing claims securely between two parties. They are widely used for modern web authentication, authorization (like OAuth2), and information exchange.

While JWTs appear as a long, cryptic string of characters separated by dots, they are not actually encrypted—they are merely Base64Url encoded. Our tool allows you to paste that string and instantly decode the underlying JSON structure, revealing the token's header, the data payload (claims), and the raw signature, making it an indispensable tool for debugging login flows and API permissions.

How to use the JWT Inspector

1. Input your Token: Paste your JWT (which typically starts with `ey...`) into the text area above.
2. Inspect the Payload: The tool instantly splits the token into three parts: the Header (Algorithm & Token Type), the Payload (Standard and Custom Claims), and the Signature.
3. Verify Signature (Optional): If your token uses an HMAC-SHA256 signature (HS256), you can paste your secret key into the "HMAC Secret" box. The tool will mathematically verify if the token is valid or forged.
4. Check Expiration: If the token contains an `exp` claim, the tool will calculate the exact date and show you a real-time countdown of when the token expires (or if it has already expired).

Features of this Tool

• ✓ 100% client-side — your access tokens and secret keys never leave your browser.
• ✓ No sign-up or account required.
• ✓ Color-Coded Analysis: Instantly visually distinguish the header, payload, and signature blocks.
• ✓ Offline Signature Verification: Validates HS256 signatures securely utilizing the browser's native `SubtleCrypto` Web API.
• ✓ Human-Readable Claims: Automatically maps standard IANA registered claims (like `iat`, `sub`, `exp`) into readable descriptions.
• ✓ Expiry Calculator: Converts Unix epoch timestamps into local human-readable time formatting.

Frequently Asked Questions

Is it safe to paste my production JWT here?

Yes. ZeroTools operates entirely offline. The decoding algorithm uses native JavaScript `atob` and `JSON.parse` functions directly within your DOM. There are no backend databases, and we do not transmit analytics payloads containing your data. It is fundamentally secure for production tokens.

Why can I read the token without the secret key?

This is a common misconception about JWTs. JSON Web Tokens are encoded (for safe transmission over HTTP), not encrypted. The payload is designed to be readable by anyone who holds the token. The "secret key" is only used to generate the Signature, which ensures the payload hasn't been maliciously altered in transit.

Can this tool decrypt JWE (JSON Web Encryption) tokens?

No. This tool is designed for standard JWS (JSON Web Signatures), which are the most common type of JWT used for authentication. It currently does not support decrypting encrypted payloads.

What does "Signature NOT verified" mean?

By default, because the tool does not know your backend server's private secret key, it cannot guarantee the token is authentic. It simply decodes the visible payload. If you want to verify the signature, you must supply the HS256 secret key in the options field.