JWT Decoder
Decode and inspect JSON Web Tokens instantly. View header, payload, claims, signature, and expiration status. Process data securely in your browser with no information transmitted to external servers..
What is JWT Decoder | Rune
JWT Decoder lets you paste any JSON Web Token and instantly view its decoded header, payload, and signature. Inspect standard claims like issuer, subject, audience, and expiration time with human-readable descriptions. The tool automatically detects expired tokens and displays time claims in your local timezone.
All decoding happens 100% client-side in your browser, your tokens are never sent to any server. Implements industry-standard cryptographic algorithms and security protocols for reliable results. All security operations run locally in your browser, ensuring sensitive data never leaves your device. Suitable for cybersecurity professionals.
Key Features of JWT Decoder
Everything you need for professional jwt decoder
Instant Decoding
Paste any JWT and instantly see the decoded header and payload with proper JSON formatting.
Claims Breakdown
Every claim is listed with its RFC-standard name, description, and value in a clear table format.
Expiration Detection
Automatically checks if the token is expired and shows issuedAt, expiresAt, and notBefore timestamps.
Signature Display
View the signing algorithm and raw signature hash for verification purposes.
Copy Sections
Copy the decoded header or payload as formatted JSON with a single click.
Privacy Safe
All decoding runs locally in your browser. No tokens are transmitted to any server.
How to Use JWT Decoder
Follow these simple steps to get started
Paste JWT
Copy your JWT token and paste it into the input field. Decoding starts automatically.
View Decoded Data
Inspect the header, payload claims, and signature details in a structured view.
Check Expiry & Copy
See if the token is expired and copy any section for use in your application.
Pro Tips
- JWT decoding only reveals the payload, it does not verify the signature. Always verify signatures server-side.
- Tokens with no 'exp' claim never expire. Be cautious with long-lived tokens in production.
- Use this tool to debug authentication issues by checking token claims like 'iss', 'aud', and 'scope'.
- Time claims (iat, exp, nbf) are Unix timestamps in seconds, the tool converts them to readable dates.
Explore More Tools
Discover other powerful tools to boost your productivity
Frequently Asked Questions
Everything you need to know about JWT Decoder
Is it safe to paste my JWT here?
Yes. All decoding happens entirely in your browser using JavaScript. No data is ever sent to a server. Your token stays on your device.
Does this tool verify the JWT signature?
No. This tool decodes and displays the token contents. Signature verification requires the secret key and should be done server-side.
What JWT algorithms are supported?
All algorithms are supported for decoding: HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, and more.
Can I decode expired tokens?
Yes. Expired tokens can still be decoded, the tool will show the expiration status and when the token expired.
What are standard JWT claims?
Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID).
What is the difference between header and payload?
The header contains token metadata (algorithm, type). The payload contains the claims (user data, permissions, expiration). Both are Base64URL-encoded.
Is this tool free?
Yes, completely free with no limits. Decode as many tokens as you want without signing up.
Can I decode tokens from any provider?
Yes. JWT is an open standard (RFC 7519). Tokens from Auth0, Firebase, AWS Cognito, Keycloak, or any other provider can be decoded.
Still need help?
Can't find what you're looking for? Our support team is here to assist you.
Contact Support