inyourbrowser.com

JWT decoder

JWT decoder is a browser-based inspection tool for JSON Web Tokens that decodes the header, payload, and expiry claims entirely client-side. All inspection runs in your browser, paste any token starting with "ey" and see all claims formatted instantly.

JWT token
⚠ Signature not verified, client-side only

VIEW

Runs entirely in your browser

How to decode a JWT

  1. Paste your JWT token into the input area, it starts with ey and contains two dots separating three parts.
  2. The header, payload, and signature sections are decoded and displayed separately.
  3. Inspect the claims in the payload, expiry time, issuer, subject, and custom fields.
  4. Check whether the token has expired based on the exp claim.

Common uses

  • Inspecting the claims inside a JWT from an API response during debugging, use JSON formatter to pretty-print the decoded payload
  • Checking the expiry time of an authentication token to troubleshoot session issues. The Unix timestamp converter helps translate the exp claim to a readable date
  • Verifying the structure and contents of a JWT before implementing token handling

Technical specification

  • Algorithm or formula: Token is split on the two dots into header, payload, and signature segments. Each Base64url segment is normalised (+, / and padding) then decoded with atob and parsed via JSON.parse. UTF-8 handling uses percent-encoded byte expansion to preserve non-ASCII claims.
  • Browser API or library: Native atob and JSON.parse. No external library.
  • Input limits: Any JWS-encoded token small enough for the browser to hold in memory.
  • Output: Decoded JSON header, decoded JSON payload, and the raw Base64url signature segment.
  • Known limitations: Signature verification is not performed. Use this tool for inspection only; trust decisions need a server-side check against the signing key.

Frequently asked questions

Is my JWT sent to a server?
No. Decoding is done entirely in your browser using JavaScript.
Does this verify the JWT signature?
The tool decodes the payload without verifying the cryptographic signature, verification requires the secret or public key. This tool is for inspection only, not security validation.
What is Base64url encoding?
JWTs use Base64url, a URL-safe variant of Base64 that replaces + with - and / with _. This makes tokens safe to include in URLs without additional encoding.
Can I see the raw header and payload?
Yes. The tool shows both the decoded JSON and the raw Base64url-encoded string for each section of the token.

Reviewed and tested May 26, 2026.