← Back to tools

JWT Decoder

Decode JWT header and payload instantly in your browser without sending data to a server.

Paste a JWT and click Decode.

What is JWT Decoder?

JWT Decoder reads the header and payload of a JSON Web Token (JWT) and displays them in readable JSON. Decoding happens entirely in your browser — the token is never sent to any server. Note: this tool decodes only; it does not verify the signature.

How to use

  1. Paste a JWT (three Base64URL-encoded parts separated by dots) into the input.
  2. Click Decode.
  3. The Header section shows the algorithm and token type.
  4. The Payload section shows the claims such as sub, exp, and custom fields.

Notes

  • The signature (third part) is not verified. Do not rely on this tool for authentication or trust decisions.
  • JWTs are Base64URL-encoded, not encrypted. Anyone with the token can decode the payload.
  • Avoid pasting production tokens containing sensitive user data into any online tool.

FAQ

What does a JWT look like?
A JWT is three Base64URL strings joined by dots: xxxxx.yyyyy.zzzzz. The first is the header, the second is the payload, and the third is the signature.
Can this tool verify a JWT signature?
No. Signature verification requires the secret key or public key used when the token was signed. This tool only decodes the Base64URL-encoded parts.
What is the exp field?
The exp claim is a Unix timestamp indicating when the token expires. Compare it to the current time to check validity.

Overview

Decode the header and payload of a JSON Web Token (JWT) into readable JSON. Useful for debugging authentication flows and inspecting claims such as exp, sub, and custom fields.

How to use

  1. Paste a JWT (three Base64URL parts separated by dots).
  2. Click Decode.
  3. Inspect the header (algorithm, type) and payload (claims) as formatted JSON.

Examples

Notes

FAQ

Can this tool verify a JWT signature?
No. Verification requires the signing secret or public key. The tool only decodes the Base64URL parts.
Is a JWT encrypted?
A standard signed JWT (JWS) is only encoded, not encrypted. Use JWE if payload confidentiality is required.
Is my token uploaded?
No. Decoding happens entirely in your browser, but prefer non-production tokens as a general precaution.

Embed this tool

Paste this iframe into any HTML page to embed JWT Decoder on your site:

Related Tools