How do I decode a JWT in Python?

Use PyJWT: import jwt; payload = jwt.decode(token, options={"verify_signature": False}). Or manually: import base64, json; json.loads(base64.b64decode(token.split(".")[1] + "==")).

All tools

JWT Decoder

Decode JWTs, verify HMAC signatures, check expiry, and run a security audit — 100% in your browser. Your token never leaves your device.

100% in-browserNo signupFree forever

Runs in browserToken never leaves your devicePrivacy-first

Paste JWT token

Paste a JWT above or use Try Sample to explore.

You can also add ?token=... to the URL.

Decoding and verification run in your browser. Token and secret never leave your device.

Base64 Encoder Password Generator Compare two JWTs

What Is a JWT Token?

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe string. A JWT has three Base64URL-encoded parts separated by dots:

eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEyMyJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

The three parts are: Header (algorithm + token type), Payload (claims — user data, expiry, roles), and Signature (verifies the token has not been tampered with). Decoding the header and payload is just Base64URL — no secret needed. Verifying the signature requires the secret or public key.

How it works

Decode and Inspect JWTs in Seconds

Paste your JWT

Paste a full JWT, a URL with ?token=... param, or a Bearer header. The tool strips prefixes automatically.

Inspect claims

View header algorithm, all payload claims, and human-readable expiry and issued-at timestamps.

Verify signature

Enter your HMAC secret (HS256/384/512) to verify the signature — entirely in your browser.

Run security audit

Detect the alg:none vulnerability, short secrets, missing exp/nbf claims, and other common JWT security issues.

Use cases

When Developers Use a JWT Decoder

🐛

Debug Auth Failures

Decode the token from a failed API request to check if exp is in the past, sub is correct, or required claims are missing.

⏱️

Check Token Expiry

Instantly see the exact exp datetime and how much time remains — no code needed.

✅

Verify HMAC Signatures

Test that your signing secret is correct by verifying HS256/HS384/HS512 signatures locally.

🛡️

Security Audit

Detect the alg:none attack, weak or default secrets, missing nbf/iat claims, and other JWT vulnerabilities.

🔍

Inspect Provider Tokens

Decode Auth0, Cognito, Firebase, or Okta tokens to see the claims and issuer without leaving your browser.

📋

Extract Claims for Testing

Pull user IDs, roles, and custom claims out of tokens when writing integration tests or mocking auth.

JWT Standard Claims Reference

Claim	Full name	Meaning
iss	Issuer	Who created and signed the token (e.g. https://accounts.google.com)
sub	Subject	Who the token refers to — typically a user ID
aud	Audience	Who the token is intended for — your API or app
exp	Expiration	Unix timestamp after which the token is invalid
nbf	Not Before	Unix timestamp before which the token must not be accepted
iat	Issued At	Unix timestamp when the token was issued
jti	JWT ID	Unique identifier — used to prevent token replay

Is jwt.io Safe? Why Client-Side Matters

jwt.io is widely used but sends tokens to their servers for processing. For tokens containing user IDs, emails, roles, or session data that can be a privacy concern — especially in regulated environments or when debugging production issues. This JWT Decoder runs 100% in your browser: no network request is made, no data is logged. Decoding is just Base64URL — it requires no server. Your token never leaves your device.

FAQ

Frequently Asked Questions

1How do I decode a JWT token?

Paste your JWT above. It splits on the two dots, Base64URL-decodes the header and payload, and shows all claims in readable JSON — entirely in your browser, nothing sent to any server.

2Is it safe to paste JWT tokens into online decoders?

Only if the tool is 100% client-side. This decoder processes everything locally — no network request is made, your token never leaves your device. Safe for production tokens and sensitive credentials.

3How do I check if a JWT token is expired?

Paste your JWT. The decoder reads the exp claim (a Unix timestamp) and shows the exact expiration datetime, whether the token is currently valid, and remaining or elapsed lifetime in human-readable format.

4How do I verify a JWT signature?

Enter your HMAC secret in the verification field. The decoder runs HMAC-SHA256/384/512 locally in your browser and confirms whether the token signature matches — no server involved.

5What is the JWT "none" algorithm vulnerability?

The alg:none attack allows an attacker to set the algorithm to "none" and strip the signature, potentially bypassing verification on vulnerable servers. This decoder's security audit flags this automatically alongside other issues like missing exp or default weak secrets.

6What does a JWT token look like?

A JWT has three Base64URL-encoded parts separated by dots. The first starts with eyJ (the encoded {"), making most JWTs recognizable by that prefix. The third part is the cryptographic signature and cannot be decoded without the secret.

7What is a JWT token?

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a compact URL-safe string. It has three Base64URL-encoded parts — header, payload, and signature — separated by dots.

8How do I decode a JWT without a secret?

The header and payload are just Base64URL-encoded JSON — no secret is needed to decode them. Only signature verification requires the secret or public key. Paste the JWT and read the claims freely.

9What is the difference between HS256 and RS256?

HS256 uses a shared HMAC secret (symmetric) — both signer and verifier use the same key. RS256 uses an RSA key pair (asymmetric) — the server signs with a private key and clients verify with a public key. RS256 is safer for distributed systems.

10What claims are in a JWT payload?

Standard claims: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (JWT ID). Apps also add custom claims like roles, email, or permissions.

11What does a JWT malformed error mean?

A "malformed" JWT error means the token does not have the expected three dot-separated parts, or a part is not valid Base64URL. Common causes: truncated token, extra whitespace, or URL-encoding that changed + to a space.

12How do I decode a JWT in JavaScript?

Use jwt-decode: jwtDecode(token). Or manually: JSON.parse(atob(token.split(".")[1].replace(/-/g,"+").replace(/_/g,"/"))).

Learn more

Developer Guides

📖Token Security Best Practices 📖JWT Tokens Complete Guide 📖Decode JWT in Logs

Feedback for jwt_decoder

Tell us what's working, what's broken, or what you wish we built next — it directly shapes our roadmap.

You make the difference

Good feedback is gold — a rough edge you hit today could be smoother for everyone tomorrow.

Feature ideas often jump the queue when lots of you ask.
Bug reports with steps get fixed faster — paste URLs or examples if you can.
Name and email are optional; we won't use them for anything except replying if needed.

Stay Updated

Get the latest tool updates, new features, and developer tips delivered to your inbox.

What you'll get

Product updates & new tools
JSON, API & developer tips
Unsubscribe anytime — no hassle

Get in touch

Feature ideas, bugs, or a quick thanks — we read every message.

support@unblockdevs.com