Paste any JSON Web Token into the input field — it decodes automatically on paste, or click "Decode Token".
2
View decoded parts
Each section is color-coded and formatted. Toggle claim explanations to understand what each field means.
3
Check expiration and warnings
Automatic alerts flag expired tokens, missing claims, weak algorithms, or dangerously long lifetimes — all processed locally.
FAQ
What is a JWT (JSON Web Token)?
A JWT is a compact, URL-safe token format used for authentication and information exchange. It consists of three Base64URL-encoded parts separated by dots: a Header (algorithm and type), a Payload (claims like user ID, expiration), and a Signature (cryptographic verification). JWTs are widely used in OAuth 2.0, OpenID Connect, and API authentication.
Does this tool verify the JWT signature?
No. This tool decodes and inspects the token contents (Header and Payload) without verifying the signature. Signature verification requires the secret key or public key, which should never be shared in a browser tool. Use this tool for debugging and inspection only — never trust a JWT based on decoded contents alone.
Is my token safe? Is anything sent to a server?
Yes, your token is completely safe. All decoding happens locally in your browser using JavaScript. No data is sent to any server, no network requests are made, and nothing is stored. You can even use this tool offline.
What do the standard JWT claims mean?
Standard claims include: "iss" (issuer — who created the token), "sub" (subject — who the token is about), "aud" (audience — intended recipient), "exp" (expiration time), "nbf" (not before — token is invalid before this time), "iat" (issued at — when it was created), and "jti" (JWT ID — unique identifier for the token). All time claims are Unix timestamps.
Why does my JWT fail to decode?
Common reasons: the token is not a valid JWT (must have exactly 3 dot-separated parts), Base64URL encoding is corrupted (e.g., extra whitespace or missing characters), or the Header/Payload is not valid JSON. Check that you copied the full token without truncation or extra spaces.
What do the color-coded parts mean?
The JWT is split into three color-coded parts: the Header (rose/red) contains metadata like algorithm and token type; the Payload (purple) contains the claims — the actual data; and the Signature (blue) is a cryptographic hash used to verify the token has not been tampered with.
Does this tool work on mobile devices?
Yes. The interface is fully responsive. You can paste a JWT from your clipboard, tap Decode, and inspect all three parts on any phone or tablet.
How does this compare to jwt.io?
jwt.io also decodes JWTs in the browser. This tool adds automatic expiration checking, validation warnings (weak algorithms, missing claims, long lifetimes), claim explanations, and a compact/formatted toggle — all without sending data to a server.
Can I use this to debug OAuth 2.0 or OpenID Connect tokens?
Yes. OAuth access tokens and OIDC ID tokens are typically JWTs. Paste them here to inspect scopes, audience, issuer, expiration, and other claims. This is useful for debugging API authentication issues or verifying token contents during development.
What does the "none" algorithm warning mean?
A JWT with alg: "none" has no cryptographic signature, meaning anyone can forge the token by modifying the payload. This is a known security vulnerability. Legitimate JWTs should always use a signing algorithm like HS256, RS256, or ES256.
Can I decode JWTs from command line instead?
Yes. You can decode a JWT with: echo "TOKEN" | cut -d. -f2 | base64 -d | jq . — but this requires jq and does not handle URL-safe Base64 padding. This tool does all of that automatically plus expiration checks and warnings.
What other Coda One tools are useful for API development?
The <a href="/ai/dev/base64">Base64 Encoder</a> helps with token-related encoding. The <a href="/ai/dev/json">JSON Formatter</a> is useful for inspecting API responses. The <a href="/ai/dev/hash">Hash Generator</a> can verify HMAC signatures when you have the secret key.
Coda One's JWT Decoder instantly decodes any JSON Web Token into its three color-coded parts: Header, Payload, and Signature. Inspect algorithm, claims, expiration status, and issued-at date at a glance. Get automatic warnings for expired tokens, missing claims, and suspicious patterns. Everything runs in your browser — no data is sent to any server. Free, unlimited, no signup.