Jsony

JWT Decoder

Decode JSON Web Tokens in your browser to inspect header, payload, and signature. Your token never leaves the page.

What is the Jsony JWT Decoder?

A privacy-respecting JWT inspector. Paste a token, see its three parts (header, payload, signature) decoded into readable JSON. Use it to check what claims a token carries, when it expires, who issued it, and what the signature looks like — without sending the token to a third-party server.

The decoder is deliberately scoped to inspection. It doesn't verify the signature. That's a separate question (one that requires the issuer's key) and can't be answered honestly in a browser. See the FAQ below for the longer version of why.

How to use it

  1. Paste your token. A Bearer prefix is fine — it gets stripped automatically.
  2. Read the decoded panels. Header (purple) shows the algorithm and token type. Payload (amber) shows the claims — who, when, what. Signature (green) is shown raw.
  3. Check the standard claims summary. Below the payload, a small table calls out iss, sub, aud, exp, iat, nbf, jti. Timestamps are shown as ISO dates plus a relative time. Expired tokens and tokens that aren't yet valid (nbf in the future) are flagged red.
  4. Copy a section with the per-section Copy button if you need to paste the decoded JSON elsewhere.

Common use cases

Debugging authentication errors."The API returned 401 with my token attached." Paste the token here, confirm it hasn't expired, check that the audience matches what the API expects.

Inspecting third-party tokens. An OAuth provider gave you a JWT and you want to see what it actually contains. The decoder is faster than copy-pasting into a console to call atob twice.

Verifying expiration during testing. While testing time-based logic, paste a token to confirm what its expresolves to in your local time zone. The relative time ("in 5 minutes") makes test setup easier to reason about.

A note on signature verification

Many online JWT tools have a "verify signature" box that asks you to paste your secret. Don't. Either:

  • Their JS does the verification client-side, in which case the tool didn't actually need your secret to be on their domain — it could have been entirely local. So why did they ask?
  • Or the verification happens server-side, in which case your secret is now on someone else's server. Bad.

Jsony doesn't offer signature verification at all. If you need to verify, do it where the secret already lives: your API server, your CLI, your test environment.

Frequently asked questions

Is it safe to paste my JWT here?
Yes, safer than most online JWT decoders. Decoding runs entirely in your browser — no token is sent to a server, no analytics tracks the input. The complete source is open on GitHub. That said: a JWT often contains identifying claims (sub, email), so general caution about pasting tokens into any tool still applies.
Why doesn't this verify the signature?
Signature verification requires the issuer's secret or public key. Doing that in a browser would mean either trusting the page with your secret (defeats the point) or trusting a server (defeats the point). Verification is fundamentally a server-side operation. This tool decodes for inspection — useful for debugging, comparing claims, checking expiration — but doesn't claim to verify authenticity.
What's the color coding?
Standard JWT convention: header is purple/violet, payload is amber/yellow, signature is green. Same scheme jwt.io uses, so the visual matches what most developers expect.
Does it understand standard claims?
Yes. iss, sub, aud, exp, iat, nbf, and jti are surfaced in a separate claims summary. Timestamps (exp, iat, nbf) are converted to ISO dates and a relative time (e.g., "in 2 days" or "3 hours ago"). Expired or not-yet-valid tokens are flagged.
What if my token is in the wrong format?
The decoder expects three dot-separated segments (header.payload.signature). 'Bearer ' prefixes are stripped automatically. If a segment isn't valid base64url or doesn't decode to JSON, you'll get a specific error pointing at which segment failed.

Related tools

The JSON Formatter can take the decoded payload (or header) and let you explore it as a tree. The Base64 encoder/decoder (coming soon) is useful when you're debugging the raw segments of a token directly.