All Tools/Crypto

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and expiration. 100% client-side — your token never leaves the browser.

Decoded 100% client-side — token never leaves your browser.

Common errors

  • JWT invalid signature

    The signature does not match the payload. Usually caused by wrong secret key, algorithm mismatch, or token tampering.

  • JWT expired

    The token's exp claim is in the past. Refresh the token or obtain a new one from the auth server.

  • JWT malformed

    The token is not a valid JWT (not 3 base64url parts separated by dots). Check encoding and structure.

  • Invalid base64url

    Header or payload contains invalid base64url characters. Ensure no padding issues or illegal chars.

Examples

  • eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

How to fix

Verify the token has exactly 3 parts (header.payload.signature) separated by dots.

Ensure header and payload are valid base64url-encoded JSON.

Check the alg claim in header matches what your server expects (HS256, RS256, etc.).

For expired tokens, implement token refresh or re-authenticate.