Encode / Decode

JWT Decoder

Decode a JWT header and payload to readable JSON in your browser — free, instant and private. Decodes only; it does not verify the signature.

Header
Payload

100% in your browser — nothing you type is ever uploaded.

How to decode a JWT

  1. Paste the full token into the input box above — it should look like three dot-separated parts.
  2. The decoded header and payload appear instantly as formatted JSON.
  3. Click Copy under either box to copy that JSON to your clipboard.

What this tool does

This tool splits a JSON Web Token into its three parts, Base64url-decodes the header and payload segments, and pretty-prints each as JSON. It decodes only and does not verify the signature — so it will show you what a token claims, but not whether that claim is genuine or the token has expired. Verification requires the issuer's secret or public key and should happen on a trusted server.

Anatomy of a JWT

  • Header — metadata about the token, such as the signing algorithm.
  • Payload — the claims: arbitrary data like a user ID, roles, and issued/expiry timestamps.
  • Signature — a cryptographic signature over the header and payload, verifiable only with the issuer's key. This tool does not decode or check it.

Common reasons to decode a JWT

  • Debugging why an API rejects a token by inspecting its claims and expiry.
  • Checking which algorithm and claims an auth provider issues before writing verification code.
  • Confirming a token contains the roles or scopes your app expects.
  • Learning how JWTs are structured while building or reviewing an authentication flow.

Related tools

Frequently asked questions

Is my token uploaded anywhere?
No. The token is decoded entirely locally in your browser. Nothing is sent to a server, so you can safely paste real access or session tokens while debugging.
Does this verify the JWT signature?
No. This tool decodes only — it reads the header and payload but does not verify the signature, so it cannot tell you whether the token is authentic or has been tampered with. Never treat a decoded payload as trusted without verifying it against the issuer's key server-side.
Why does the payload show my data even though I don't have the secret key?
A JWT's header and payload are only Base64url-encoded, not encrypted — anyone holding the token can read them. Only the signature at the end requires the secret or private key, and that part is not decoded here.
What do the header fields mean?
The header typically has "alg" (the signing algorithm, e.g. HS256 or RS256) and "typ" (usually "JWT"). It tells a verifier how the signature was produced, not anything about the user or session.
What are common payload claims like "sub", "iat" and "exp"?
"sub" is the subject (usually a user ID), "iat" is the issued-at timestamp, and "exp" is the expiry timestamp — both as Unix seconds. Other claims are defined by whatever service issued the token.
What happens if I paste an invalid token?
The tool shows a clear error message instead of guessing. This usually means the token does not have exactly three dot-separated parts, or one of the parts is not valid Base64url-encoded JSON.
Can I decode an expired token?
Yes. Decoding just reads the encoded fields regardless of the "exp" claim — this tool does not check expiry, since checking that is part of verification, which happens server-side.