UtilVox
🔑
Security · Identity

JWT Decoder — Free JSON Web Token Inspector

Decode, inspect, and verify JSON Web Tokens instantly with deep claim analysis.

Encoded Token
HeaderALGORITHM & TYPE
{ "alg": "HS256", "typ": "JWT" }
PayloadDATA CLAIMS
{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022, "exp": 1720416000 }
Verify Signature

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

list_alt Claim Registry

ClaimDescription
issIssuer: Entity that issued the token
subSubject: The principal (user) of the token
audAudience: Intended recipients
expExpiration: Time token must no longer be accepted
iatIssued At: Time token was created

JWT Insights

Are my tokens sent to a server?
No. UtilVox decodes all JWTs locally in your browser. Your sensitive tokens and keys never leave your device.
Why does it say 'Invalid Signature'?
To verify a signature, you must provide the correct Secret or Public Key. Without it, the decoder can only show you the Header and Payload contents.
What do the colors mean?
Following the JWT standard: RED represents the Header (algorithm/type), PURPLE represents the Payload (data/claims), and BLUE represents the Signature.

Reading a JWT Without Getting Fooled by It

The three parts of every token

A JWT is three Base64URL segments separated by dots — paste one above and they unfold:

PartContainsWorth checking
HeaderAlgorithm (alg) and token typealg: none or unexpected algorithm = red flag
PayloadClaims: sub, exp, iat, roles, custom dataexp (expiry) explains most 401 errors
SignatureCryptographic seal over the first two partsCan't be verified without the secret/key

Decoding is not verifying — the critical difference

Anyone can decode a JWT; that's by design — the payload is readable, not secret. What the decoder cannot tell you is whether the token is authentic: that requires checking the signature against the issuing server's secret or public key. Two consequences follow. Never put sensitive data in a JWT payload (it's effectively plaintext), and never trust client-side decoding for authorization decisions — a tampered payload decodes just as cleanly as a real one.

The debugging routine

API suddenly returning 401? Decode the token and read exp — expired tokens are the cause nine times out of ten. Role missing from a permissions check? Look at the actual claims rather than what the docs promise. Decoding here happens in your browser, which matters: production tokens pasted into a server-side tool are credentials handed to a stranger. The raw segments are plain Base64 if you want to inspect them manually, and signature hashes relate to the SHA-256 generator.