PulseAPIPulseAPI
Client-side only

JWT Decoder

Paste a JWT to inspect its header, payload, and claims. Decoding happens entirely in your browser — your token is never sent to a server.

Decoded locally in your browser. Nothing is sent anywhere.

Decoded successfully. Token has no expiration claim.
sub
1234567890
iat
2018-01-18T01:30:22.000Z (1/18/2018, 1:30:22 AM)

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Signature verification requires the secret or public key. This tool does not verify signatures — it only decodes.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It has three parts — header, payload, and signature — separated by dots. The header and payload are base64url-encoded JSON. The signature is computed using the header-specified algorithm and a secret or private key, allowing the receiver to verify the token was not tampered with. JWTs are commonly used for authentication and information exchange in REST APIs.

Common JWT claims

issIssuer

Who issued the token — usually a URL identifying the auth server.

subSubject

Who the token is about — usually the user ID.

audAudience

Who the token is intended for — the API or service expected to accept it.

expExpiration Time

Unix timestamp after which the token must not be accepted.

nbfNot Before

Unix timestamp before which the token must not be accepted.

iatIssued At

Unix timestamp when the token was issued.

jtiJWT ID

Unique identifier for the token — useful for preventing replay attacks.

JWT Decoder FAQ

Is it safe to paste my JWT here?

Yes. Decoding happens entirely in your browser with JavaScript — the token is never sent to our server. You can verify this by opening DevTools → Network tab while decoding. Still, avoid pasting tokens that grant access to production systems when using any online decoder.

Can this tool verify the signature?

No. Signature verification requires the signing secret or public key, which you should never paste into an online tool. Verify signatures in your own backend using the issuer's public key (for asymmetric algorithms) or your shared secret.

Which algorithms does this tool support?

All. The tool only decodes the base64url-encoded JSON parts, so it works with any signing algorithm (HS256, RS256, ES256, EdDSA, etc.). The algorithm is listed in the header — look for the `alg` field.

Why is my token shorter than others?

JWT length depends on payload contents (more claims = longer) and the signing algorithm (RSA signatures are longer than HMAC). A compact token with few claims signed with HS256 can be under 200 characters. Tokens with many claims or RSA signatures are often 500+.

What is the difference between JWT and JWS/JWE?

JWS (JSON Web Signature) is signed but not encrypted — anyone can read the payload. JWE (JSON Web Encryption) encrypts the payload. Most "JWTs" in the wild are actually JWS — signed but visible. This tool decodes JWS tokens. Encrypted JWEs cannot be decoded without the decryption key.

Related tools

HTTP Header CheckerSSL Certificate CheckerUptime Calculator
Monitor your API with PulseAPI