Header
Algorithm + token type
Payload
Claims (data)
Signature
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cWhat is the JWT Decoder?
A JWT decoder splits a JSON Web Token into header, payload, and signature, decodes the Base64URL segments, parses the JSON, validates expiration claims (exp, iat, nbf), and shows you everything in a structured view. This one also signs new JWTs and verifies HS256/HS384/HS512 signatures -all in your browser. Your token and secret never leave the page.
Most online JWT debuggers run on a server. You paste your token, they parse it, and you have to trust them not to log it. We use Web Crypto subtle.sign for HMAC operations and atob for Base64URL -all local. Same UX, no trust required.
How it works
Features
Why this decoder
jwt.io is great but you're sending tokens to their server. Our HMAC verify runs locally via Web Crypto. Tokens never leave your laptop.
Most decoders only decode. We let you sign. Useful when testing API auth flows or building OIDC test fixtures.
Unix timestamps in JWTs are a usability nightmare. We render them as human dates with relative-time labels.
Flags weak signing algorithms, missing claims, expired tokens. Catches mistakes before they hit production.
Who uses it
Real use cases
- Your API request is rejecting a JWT and you suspect it's expired. Paste the token, see the exp timestamp + relative time. Yep, expired 3 hours ago. Refresh and retry.
- An Okta access_token shows up in your logs with claims you don't recognize. Decode it, see iss, aud, scope, sub. Match to your application config.
- You need to test your API's auth middleware locally. Sign a custom JWT with HS256 + your secret + a synthetic payload. Send it as Authorization: Bearer ... -your middleware accepts it.
- Production is leaking auth tokens in error logs. Paste a leaked token, decode the payload, identify which user / scope is affected. Trigger a forced re-auth.
- A frontend dev asks why their JWT verification fails. Decode their token, check the alg in header. They signed HS256 but server expects HS384. Mismatch found.
- You're explaining JWTs in a code review. Open the decoder, paste an example token, point at header.alg = HS256, payload.exp expiration, signature segment. Click Sign mode. Perfect demo.
Compared with other tools
| Feature | Molixa | jwt.io | jwt-decoder.io | DenCode |
|---|---|---|---|---|
| Decode | Yes | Yes | Yes | Yes |
| HS256/384/512 verify | Yes (local) | Yes (server) | Yes | Yes |
| JWT signing | Yes | Yes | No | Yes |
| Time claim humanizer | Yes | Partial | No | No |
| Anti-pattern warnings | Yes | No | No | No |
| Free, no signup | Yes | Yes | Yes | Yes |
| Browser-only verify | Yes | Server-side | Server-side | Yes |
Frequently asked questions
Is the JWT decoder free?▾
Yes. Unlimited use, no signup, browser-only. jwt.io is the de-facto standard but ships HS256/RS256/ES256 verification only when you trust them with your tokens; we run all the math locally.
What's a JWT?▾
JSON Web Token. Three Base64URL-encoded segments joined by dots: header.payload.signature. Used for stateless authentication in APIs and OIDC flows. The signature lets the server trust the token without storing session state.
Is my token sent anywhere?▾
No. Decoding runs in your browser via atob(). Verification (HS256) runs via Web Crypto subtle.sign. Even your secret never leaves the page. Compare with online debuggers that send your token to their server for parsing.
Which algorithms can I verify?▾
HS256, HS384, HS512 -the HMAC-based algorithms. Web Crypto handles those natively. For RS256/ES256 (RSA / ECDSA), you need a public key in JWK or PEM format and a few extra steps; we plan to add those.
How do I check if my token is expired?▾
Decoder shows a status badge: valid, expired, not-yet-valid (nbf in future), or no-expiry. The exp claim is interpreted as Unix seconds and compared to your local clock.
What's the difference between 'iat' and 'exp'?▾
iat = issued at (when the token was created). exp = expiration (when it stops being valid). Standard rotation: server creates token at iat, sets exp = iat + 3600 (1 hour), client refreshes before exp.
What's 'nbf'?▾
Not before. The token is invalid until this timestamp. Used for delayed-activation tokens. Less common than exp/iat. Always check nbf if your token includes it.
Can I sign my own JWT?▾
Yes. Switch to Sign mode, paste header (or use defaults), paste payload, set secret. We compute HS256/HS384/HS512 signature via Web Crypto and emit the full token. Useful for testing API auth flows locally.
Why does my JWT verify mismatch?▾
Three usual causes. (1) Wrong secret -the secret used to sign must match the one used to verify. (2) Token tampered with -even one byte change invalidates the signature. (3) Algorithm mismatch -token signed with HS256 won't verify with HS384.
Is JWT secure?▾
JWT itself is just a format. Security depends on (a) signing algorithm strength -HS256 is fine if the secret is strong; (b) secret strength -32+ random bytes for HS-family; (c) implementation -never accept the 'none' algorithm, always validate the signature server-side, never trust unverified payloads.
Decode and verify a JWT
Decode, verify, sign. Browser-only. Free unlimited.
Open the JWT decoderThe JWT Decoder page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.
Related Developer Tools
JSON Formatter & Validator
Format, validate, tree-view, schema-gen, type-gen, diff. 100% browser-side.
Base64 Encoder/Decoder
3 variants side by side, image preview, hex dump fallback.
Regex Tester
Live regex tester with multi-flavor compare and click-to-insert cheatsheet.
CSS Gradient Generator
Create beautiful CSS gradients with a visual editor.
SQL Formatter
5 dialects, auto-detect, 3 keyword-case modes, browser-only.
QR Code Generator
20+ QR types with styling, logo, scanner, batch CSV, and scannability score.
Popular Tools
AI Content Detector
Check if text was written by AI with a sentence-by-sentence heatmap.
YouTube Video Summarizer
Turn any YouTube video into clear notes with chapters, quotes, chat, and flashcards.
PDF Summarizer
PDF summarizer with page citations, multi-doc compare, and domain templates.
AI Text Rewriter
Paraphrase in 10 modes with diff view, freeze words, and brand voice training.
AI Math Solver
Free math solver with step-by-step solutions, photo upload, and 4 learning modes.
Watermark Remover
Brush over a watermark or object and remove it cleanly with AI. Pro/Plus.
JWT Decoder vs paid alternatives
From the blog
- How to Decode a JWT (Decode vs Verify)Anyone can base64-decode a JWT and read it; that is not the same as verifying it. Here is the difference, the attacks that exploit the gap, and how to decode safely.Read article
- JWT Decoder: Decode and Verify Tokens Without Compromising SecurityJWT tokens are everywhere in modern apps. Here's how to decode them safely and what to actually look for inside.Read article
- Base64 Encode, Decode, and Inline ImagesBase64 turns binary into text so it travels safely in URLs, JSON, and CSS. Here is how to encode and decode it, the three variants that trip people up, and when to inline.Read article