JWT Decoder | Inspect any JWT in seconds
Decode and inspect JSON Web Tokens (JWT) instantly in your browser. View the header, payload, and signature. Check expiration (exp), issued-at (iat), and not-before (nbf) claims. Verify HS256/HS384/HS512 signatures with a secret or RS256/RS384/RS512 with a public key. Token is never logged or stored.
Paste any JSON Web Token below to decode it. Your token is processed in your browser session — we do not log or store it.
Use this tool from your AI agent
Free JSON API and Model Context Protocol (MCP) server. No signup, no API key, CORS open. Designed for Claude, ChatGPT, Cursor, scripts and frontend apps.
curl -X POST https://mate.tools/api/v1/jwt-decode.php \
-H "Content-Type: application/json" \
-d '{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.signature","secret":"your-256-bit-secret"}'import urllib.request, json
req = urllib.request.Request(
"https://mate.tools/api/v1/jwt-decode.php",
data=json.dumps({"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.signature","secret":"your-256-bit-secret"}).encode(),
headers={"Content-Type": "application/json"},
)
with urllib.request.urlopen(req) as r:
print(json.load(r))const r = await fetch("https://mate.tools/api/v1/jwt-decode.php", {
method: "POST",
headers: { "Content-Type": "application/json" },
body: JSON.stringify({"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMifQ.signature","secret":"your-256-bit-secret"}),
});
console.log(await r.json()); Add to claude_desktop_config.json (Claude Desktop), ~/.cursor/mcp.json (Cursor), or any other MCP-compatible client:
{
"mcpServers": {
"mate-tools": {
"command": "npx",
"args": ["-y", "@mate-tools/mcp-server"]
}
}
}How to Use
- Paste your JWT token in the input field above.
- Click Decode to view the header, payload, and signature.
- For signature verification, provide the secret (HS256/384/512) or public key (RS256/384/512).
- Check the expiration status to see whether the token is still active.
Key Features
- Decodes JWT header and payload in one click
- Verifies HS256, HS384, HS512 signatures with a secret
- Verifies RS256, RS384, RS512 signatures with a public key
- Shows expiration, not-before, and issued-at timestamps in human-readable form
- Token is never logged or stored on our servers
Common Use Cases
- Debug authentication flows in your application
- Inspect tokens returned by an OAuth or OpenID Connect provider
- Check when an access token expires
- Verify a token was signed by the expected issuer
Frequently Asked Questions
A JWT is a compact, URL-safe way to represent claims between two parties. It is composed of three parts — header, payload, and signature — separated by dots. JWTs are widely used in authentication and authorization (OAuth 2.0, OpenID Connect, single sign-on).
Yes — the token is sent to our server only so PHP can decode and (optionally) verify the signature. The token is never logged, never stored, and never written to disk. It only exists in memory for the duration of the request.
We verify HS256, HS384, HS512 (HMAC with SHA-2) when you provide the shared secret, and RS256, RS384, RS512 (RSA with SHA-2) when you provide the issuer's public key in PEM format. Other algorithms (ES256, EdDSA, etc.) are decoded but not verified.
The exp (expiration) claim is a Unix timestamp after which the token must no longer be accepted. An expired JWT should be rejected by the server even if the signature is valid. Use a refresh token to obtain a new access token.
No. Decoding a JWT only reads its contents — it does not prove the token is genuine. You must always verify the signature with the issuer's secret or public key before trusting any claim inside it.
