JWT Decoder
Decode a JWT header and payload to readable JSON in your browser — free, instant and private. Decodes only; it does not verify the signature.
Header
Payload
100% in your browser — nothing you type is ever uploaded.
How to decode a JWT
- Paste the full token into the input box above — it should look like three dot-separated parts.
- The decoded header and payload appear instantly as formatted JSON.
- Click Copy under either box to copy that JSON to your clipboard.
What this tool does
This tool splits a JSON Web Token into its three parts, Base64url-decodes the header and payload segments, and pretty-prints each as JSON. It decodes only and does not verify the signature — so it will show you what a token claims, but not whether that claim is genuine or the token has expired. Verification requires the issuer's secret or public key and should happen on a trusted server.
Anatomy of a JWT
- Header — metadata about the token, such as the signing algorithm.
- Payload — the claims: arbitrary data like a user ID, roles, and issued/expiry timestamps.
- Signature — a cryptographic signature over the header and payload, verifiable only with the issuer's key. This tool does not decode or check it.
Common reasons to decode a JWT
- Debugging why an API rejects a token by inspecting its claims and expiry.
- Checking which algorithm and claims an auth provider issues before writing verification code.
- Confirming a token contains the roles or scopes your app expects.
- Learning how JWTs are structured while building or reviewing an authentication flow.
Related tools
- Base64 Decode — decode a single Base64 string outside the JWT structure.
- Base64 Encode — encode plain text to Base64.
Frequently asked questions
- Is my token uploaded anywhere?
- No. The token is decoded entirely locally in your browser. Nothing is sent to a server, so you can safely paste real access or session tokens while debugging.
- Does this verify the JWT signature?
- No. This tool decodes only — it reads the header and payload but does not verify the signature, so it cannot tell you whether the token is authentic or has been tampered with. Never treat a decoded payload as trusted without verifying it against the issuer's key server-side.
- Why does the payload show my data even though I don't have the secret key?
- A JWT's header and payload are only Base64url-encoded, not encrypted — anyone holding the token can read them. Only the signature at the end requires the secret or private key, and that part is not decoded here.
- What do the header fields mean?
- The header typically has "alg" (the signing algorithm, e.g. HS256 or RS256) and "typ" (usually "JWT"). It tells a verifier how the signature was produced, not anything about the user or session.
- What are common payload claims like "sub", "iat" and "exp"?
- "sub" is the subject (usually a user ID), "iat" is the issued-at timestamp, and "exp" is the expiry timestamp — both as Unix seconds. Other claims are defined by whatever service issued the token.
- What happens if I paste an invalid token?
- The tool shows a clear error message instead of guessing. This usually means the token does not have exactly three dot-separated parts, or one of the parts is not valid Base64url-encoded JSON.
- Can I decode an expired token?
- Yes. Decoding just reads the encoded fields regardless of the "exp" claim — this tool does not check expiry, since checking that is part of verification, which happens server-side.