About JWT Decoder

Decode and inspect JWT token header and payload. Part of the DevTools Surf developer suite. Browse more tools in the Text / String collection.

Use Cases

• Debug auth issues by inspecting claims and expiry
• Verify the iss/aud match between issuer and consumer
• Check why a token is rejected without calling the auth server
• Extract user IDs from tokens during support investigations

Tips

• Paste the full JWT token — it automatically splits header, payload, and signature
• Color-coded sections: red=header, purple=payload, blue=signature
• Check the exp claim to see if the token has expired

Fun Facts

• JWTs are not encrypted by default — anyone can decode the payload. The signature only verifies the token wasn't tampered with.
• The JWT specification (RFC 7519) was authored by Microsoft employees and published in 2015, but the format was already in wide use by 2013.
• The 'none' algorithm in JWT headers has caused numerous security vulnerabilities — many libraries now reject it by default to prevent signature bypass attacks.

FAQ

Does the tool verify the JWT signature?

No — signature verification requires the secret or public key, and that's best done in your application code. The decoder shows the header + payload so you can inspect claims and expiry.

What if the JWT is expired?

The decoder highlights `exp` and compares it to current time. You'll see a red 'EXPIRED' badge; the rest of the claims display normally.

Can I decode JWE (encrypted JWT)?

This tool handles JWS (signed JWTs, the most common form). JWE requires decryption keys and is less common. For JWE use a dedicated library.