JWT Decoder
Decode JWT header and payload instantly in your browser without sending data to a server.
Paste a JWT and click Decode.
What is JWT Decoder?
JWT Decoder reads the header and payload of a JSON Web Token (JWT) and displays them in readable JSON. Decoding happens entirely in your browser — the token is never sent to any server. Note: this tool decodes only; it does not verify the signature.
How to use
- Paste a JWT (three Base64URL-encoded parts separated by dots) into the input.
- Click Decode.
- The Header section shows the algorithm and token type.
- The Payload section shows the claims such as
sub,exp, and custom fields.
Notes
- The signature (third part) is not verified. Do not rely on this tool for authentication or trust decisions.
- JWTs are Base64URL-encoded, not encrypted. Anyone with the token can decode the payload.
- Avoid pasting production tokens containing sensitive user data into any online tool.
FAQ
- What does a JWT look like?
- A JWT is three Base64URL strings joined by dots:
xxxxx.yyyyy.zzzzz. The first is the header, the second is the payload, and the third is the signature. - Can this tool verify a JWT signature?
- No. Signature verification requires the secret key or public key used when the token was signed. This tool only decodes the Base64URL-encoded parts.
- What is the
expfield? - The
expclaim is a Unix timestamp indicating when the token expires. Compare it to the current time to check validity.
Overview
Decode the header and payload of a JSON Web Token (JWT) into readable JSON. Useful for debugging authentication flows and inspecting claims such as exp, sub, and custom fields.
How to use
- Paste a JWT (three Base64URL parts separated by dots).
- Click Decode.
- Inspect the header (algorithm, type) and payload (claims) as formatted JSON.
Examples
-
Check token expiry
Input: An access token from your dev environment
Output: The exp claim as a Unix timestamp you can compare with the current time.
-
Verify claim contents
Input: An ID token
Output: sub, aud, iss, and custom claims displayed as JSON.
Notes
- This tool decodes only; it does not verify the signature. Never use it for trust decisions.
- JWTs are Base64URL-encoded, not encrypted. Anyone holding a token can read its payload.
- Avoid pasting production tokens containing sensitive user data into any online tool.
FAQ
- Can this tool verify a JWT signature?
- No. Verification requires the signing secret or public key. The tool only decodes the Base64URL parts.
- Is a JWT encrypted?
- A standard signed JWT (JWS) is only encoded, not encrypted. Use JWE if payload confidentiality is required.
- Is my token uploaded?
- No. Decoding happens entirely in your browser, but prefer non-production tokens as a general precaution.
Embed this tool
Paste this iframe into any HTML page to embed JWT Decoder on your site:
Related Tools
-
UUID Generator
Generate random UUID v4 identifiers for apps, APIs, and databases.
-
Unix Timestamp Converter
Convert Unix timestamps to readable dates and dates back to Unix time.
-
JSON Formatter & Validator
Format and validate JSON with readable indentation and clear parse errors.
-
HTML Entity Encoder / Decoder
Encode special HTML characters into entities or decode entities back to text.
-
Hash Generator (SHA-256 / SHA-1)
Generate common text hashes including SHA-256 and SHA-1.