Utility Tools
Use this JWT decoder and claims inspector to review token header fields, payload claims, timestamps, scopes, audience, issuer, and signature boundaries before debugging an auth flow.
Live developer utility
{
"sub": "user_123",
"name": "Toolkit Shelf",
"iss": "https://toolkitshelf.com",
"aud": [
"toolkitshelf",
"mcp"
],
"iat": 1717200000,
"nbf": 1717200000,
"exp": 4102444800,
"scope": "read:tools write:drafts"
}Header and payload decoded as JSON.
JWT type, 16 signature characters.
Header fields describe token type, algorithm, and key hints. They are not proof of authenticity without verification.
| Claim | Value | Note |
|---|---|---|
| alg | HS256 | Algorithm named by the token header. This decoder does not verify it. |
| typ | JWT | Type hint for the token, commonly JWT. |
Payload claims are decoded from the token body. Check issuer, audience, subject, and time claims before trusting a flow.
| Claim | Value | Note |
|---|---|---|
| sub | user_123 | Subject: who or what the token represents. |
| name | Toolkit Shelf | Custom claim or provider-specific field. |
| iss | https://toolkitshelf.com | Issuer: who issued the token. |
| aud | ["toolkitshelf","mcp"] | Audience: intended API, app, or service that should accept the token. |
| iat | 1717200000 | Issued-at time as a Unix timestamp in seconds. |
| nbf | 1717200000 | Not before time as a Unix timestamp in seconds. |
| exp | 4102444800 | Expiration time as a Unix timestamp in seconds. |
| scope | read:tools write:drafts | Space-delimited permissions or access scopes in many OAuth-style tokens. |
| Time claim | UTC time | Status |
|---|---|---|
| exp | 2100-01-01T00:00:00.000Z (4,102,444,800) | Valid |
| nbf | 2024-06-01T00:00:00.000Z (1,717,200,000) | Active |
| iat | 2024-06-01T00:00:00.000Z (1,717,200,000) | Issued |
| Review note |
|---|
| This decoder does not verify the signature. Treat the output as decoded text, not proof that the token is trusted. |
{ "alg": "HS256", "typ": "JWT" }
The signature preview is sample-signature. This tool does not verify the signature or fetch signing keys.
JWTs can contain user IDs, emails, scopes, tenant IDs, session hints, or other private data. Decode only tokens you are allowed to inspect and avoid pasting production credentials into shared sessions.
Quick answer
JWT Decoder and Claims Inspector generates decoded JWT header and claims from compact token, header, payload, signature segment, claims and time claims. The visible generation method is Decoded JWT = split compact token into header.payload.signature + Base64URL-decode header and payload + JSON.parse claims + compare NumericDate claims with current time.
Generation method
Decoded JWT = split compact token into header.payload.signature + Base64URL-decode header and payload + JSON.parse claims + compare NumericDate claims with current timeThis decoder does not verify signatures or fetch signing keys. Use it to inspect token contents, not to prove a token is trusted.
How to use
Example
Generator use
Before relying on it
Details
These notes make the assumptions explicit, especially where the same search query can mean slightly different things.
The tool decodes the first two JWT segments as Base64URL JSON and reports signature segment length separately.
A decoded token can still be forged, expired, signed with the wrong key, or intended for another audience.
NumericDate claims are converted to UTC and compared with the current browser time for quick debugging.
Benchmarks
This generator is a drafting aid, not a fixed rule. Use the output to compare options and document your assumptions. Benchmark ranges are broad planning heuristics unless this page names a specific source for the range.
Expired tokens should normally be rejected by the receiving application or API.
A token can be validly signed but still wrong for the API or app receiving it.
The header names an algorithm, but only real signature verification proves trust.
Method and limitations
The generation method, inputs, example, and limitations are shown so the draft output is checkable, not treated as final copy.
Decoded JWT = split compact token into header.payload.signature + Base64URL-decode header and payload + JSON.parse claims + compare NumericDate claims with current time
Compact token, Header, Payload, Signature segment, Claims, Time claims
Utility outputs depend on the encoded payload, file format, target app, scanner, printer, browser, and real-world testing before sharing.
June 6, 2026
Toolkit Shelf. JWT Decoder and Claims Inspector. Last reviewed June 6, 2026. https://toolkitshelf.com/tools/jwt-decoder-claims-inspector
FAQ
No. It decodes the header and payload so you can inspect claims. It does not verify signatures, secrets, public keys, issuer trust, or audience enforcement.
JWTs can contain user IDs, emails, scopes, tenant IDs, or session hints. Decode only tokens you are allowed to inspect, and avoid pasting production credentials into shared sessions.
Start with iss, sub, aud, exp, nbf, iat, scope or scp, alg, and kid. Those usually explain issuer, subject, audience, time validity, permissions, and signing-key hints.
Use the page notes for each tool. Browser-side utilities can generate outputs locally, but the final file or code may still reveal whatever you encode or share.
Scanners, printers, file viewers, apps, and platform previews can behave differently, so test the exact downloaded output before using it publicly.
Different tools may use different rounding, assumptions, default rates, methods, formulas, or input timing. Compare the visible method and inputs before relying on the output.