JWT Decoder

JWT Decoder

Decode a JWT header and payload to view the algorithm, claims, and expiry as pretty JSON — decoding only, no signature verification.

Decoding ≠ Verification

This tool only decodes the JWT. It does NOT verify the signature. Anyone can create a JWT with any claims—always verify tokens server-side with the correct secret or public key.

0 chars
🔐

JWT Token

Paste your JWT to decode

About JWTs

  • Header contains the algorithm and token type
  • Payload contains the claims (user data, expiration, etc.)
  • Signature is used to verify the token wasn't tampered with
  • • JWTs are Base64URL encoded (not encrypted!) — anyone can read the contents

Features

  • Instantly decodes the header and payload of any JWT
  • Shows the signing algorithm and warns when a token uses "none"
  • Turns Unix timestamps like iat and exp into readable dates
  • Runs entirely in your browser — tokens are never sent anywhere
  • Pretty-prints the raw JSON so nested claims are easy to read

Common Use Cases

  • Checking what claims an auth server actually put in a token
  • Debugging login issues by inspecting the payload during development
  • Confirming the algorithm and key id (kid) a token was signed with
  • Teaching teammates how the three parts of a JWT fit together

What a JWT actually contains

A JSON Web Token (JWT) is just three Base64URL-encoded strings joined by dots: header.payload.signature. The header says which algorithm signed the token, the payload holds the claims (who the user is, when the token expires, and so on), and the signature lets a server confirm the token hasn't been changed.

The important thing to understand is that a JWT is encoded, not encrypted. Anyone who has the token can read the header and payload — this decoder simply does that decoding for you. The signature is the only part that needs a secret, and it can only be verified on the server that holds the key.

Because the contents are readable by anyone, you should never put passwords, secrets, or sensitive personal data in a payload.

Examples

Valid - A normal token with three parts
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkpvaG4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Invalid - Missing the signature part
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0

Frequently Asked Questions

Does this tool verify the signature?
No. It only decodes the header and payload so you can read them. Verifying the signature requires the secret or public key and should always happen on your server.
Is it safe to paste a real token here?
Decoding happens entirely in your browser and nothing is uploaded. That said, treat live tokens like passwords — if a token is still valid, avoid pasting it into any tool you do not control.
Why can I read the payload without a key?
JWTs are Base64URL-encoded, not encrypted. Encoding only changes the format of the data, so anyone can decode it. Never store secrets in a JWT payload.
What does the "alg" field mean?
It is the algorithm used to sign the token, such as HS256 (HMAC + SHA-256) or RS256 (RSA + SHA-256). A value of "none" means the token is unsigned and should never be trusted.

💡 Tips

  • If the payload looks empty, check that you pasted all three dot-separated parts.
  • A token that decodes fine can still be expired — check the exp claim separately.