Crypto

JWT Decoder

Decode JSON Web Tokens to inspect header, payload, and expiration. 100% client-side — your token never leaves the browser.

Decoded 100% client-side — token never leaves your browser.

How to use

  1. Enter a domain, URL, or value relevant to JWT Decoder.
  2. Run the check and review the output carefully.
  3. Apply recommended fixes, then run the check again to verify.

Common use cases

  • Pre-deployment validation for JWT Decoder.
  • Incident triage when security checks fail in production.
  • Periodic security review as part of technical SEO and hardening.

Example inputs

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Common issues and fixes

JWT invalid signature

The signature does not match the payload. Usually caused by wrong secret key, algorithm mismatch, or token tampering.

JWT expired

The token's exp claim is in the past. Refresh the token or obtain a new one from the auth server.

JWT malformed

The token is not a valid JWT (not 3 base64url parts separated by dots). Check encoding and structure.

Invalid base64url

Header or payload contains invalid base64url characters. Ensure no padding issues or illegal chars.

Recommended remediation

Verify the token has exactly 3 parts (header.payload.signature) separated by dots. Ensure header and payload are valid base64url-encoded JSON. Check the alg claim in header matches what your server expects (HS256, RS256, etc.). For expired tokens, implement token refresh or re-authenticate.

FAQ

Is JWT Decoder free to use?

Yes. This tool is free and can be used without account registration.

Do you store submitted values?

Only the minimum processing needed for the check. For client-side tools, data stays in your browser.

How should I use these results?

Use the output as a diagnostic baseline, apply fixes in your stack, then re-run the check to confirm remediation.

Related security tools

Base64 Encoder / Decoder

Encode and decode text to and from Base64 format. Fully client-side — your data never leaves the browser.

Hash Generator

Generate MD5, SHA-256, and SHA-512 cryptographic hashes from any text input. 100% client-side.

JSON Validator

Validate, format, minify JSON. Error location. 100% client-side.