JWT Analyzer

Decode and inspect JSON Web Tokens locally — nothing leaves your browser.

ENCODED TOKEN

Or try a sample

Awaiting token

Paste a token to see the decoded contents.

How to use this analyzer

Paste your token

Drop a JWT into the editor on the left. A leading "Bearer " prefix is stripped automatically, so curl headers paste cleanly.

Read header & payload

The right panel splits the token into its three parts. Header reveals the signing algorithm; payload holds the claims; signature stays as base64url for reference.

Inspect the claims bar

Below the payload you'll see issuer, audience, subject, and timestamps. The expires badge flips to red the moment a token is past its lifetime.

Try the samples

No token at hand? Click HS256, RS256, or Expired in the empty state to load a realistic demo and explore the interface.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe credential made of three base64url-encoded parts joined by dots: a header describing the algorithm, a payload holding the claims, and a signature proving the first two were produced by someone holding the signing key. Servers issue JWTs to clients who present them on every request, so they can carry identity and permissions across stateless HTTP calls without database lookups.

Where do JWTs show up?

Authentication sessions

After a user signs in, the server returns a JWT that the browser sends with each request. The token's claims describe who the user is, so the API doesn't need to hit a session store.

API access tokens

OAuth 2.0 issues short-lived JWTs as access tokens. Resource servers verify the signature locally and read scopes from the payload to authorize the call.

Password reset & magic links

Email a one-time link with a JWT in the URL. Set a tight "exp" so the link expires fast, and put the user id in "sub" so reset endpoints know who to update.

Single sign-on (OIDC)

OpenID Connect layers ID tokens — JWTs that prove the user authenticated at the identity provider — on top of OAuth, so multiple apps trust one login.

Which signing algorithm?

HS256

HMAC + SHA-256

Symmetric: signer and verifier share the same secret. Fast and tiny, ideal when one service issues and verifies its own tokens. Don't share the secret with third parties.

RS256

RSA + SHA-256

Asymmetric: the issuer signs with a private key; anyone with the public key can verify. The default for OIDC and federated services that publish a JWKS endpoint.

ES256

ECDSA + SHA-256

Asymmetric like RS256 but on elliptic curves. Signatures and keys are dramatically smaller (≈ 70 vs 256 bytes) — a good fit for mobile, edge, and constrained environments.

Security tips

The payload is base64url-encoded, not encrypted. Never put passwords, raw API keys, or other secrets inside a JWT — anyone with the token can read them.
Always check "exp" on the server before trusting a token. Client-side checks (like the badge above) are useful for UX, never for authorization.
Reject tokens with `alg: none` and pin the algorithm you accept. Historic libraries that auto-trusted the header's `alg` field led to real-world bypasses.
Rotate signing keys periodically and use a `kid` header so verifiers can pick the right key during rollover.

Fast Processing

Format megabytes of JSON in milliseconds.

Secure Local Only

Data never leaves your browser for maximum privacy.

Offline Ready

Works perfectly even without an internet connection.