JWT Decoder
Decode a JWT header and payload to view the algorithm, claims, and expiry as pretty JSON — decoding only, no signature verification.
Decoding ≠ Verification
This tool only decodes the JWT. It does NOT verify the signature. Anyone can create a JWT with any claims—always verify tokens server-side with the correct secret or public key.
JWT Token
Paste your JWT to decode
About JWTs
- • Header contains the algorithm and token type
- • Payload contains the claims (user data, expiration, etc.)
- • Signature is used to verify the token wasn't tampered with
- • JWTs are Base64URL encoded (not encrypted!) — anyone can read the contents
Features
- Instantly decodes the header and payload of any JWT
- Shows the signing algorithm and warns when a token uses "none"
- Turns Unix timestamps like iat and exp into readable dates
- Runs entirely in your browser — tokens are never sent anywhere
- Pretty-prints the raw JSON so nested claims are easy to read
Common Use Cases
- Checking what claims an auth server actually put in a token
- Debugging login issues by inspecting the payload during development
- Confirming the algorithm and key id (kid) a token was signed with
- Teaching teammates how the three parts of a JWT fit together
What a JWT actually contains
A JSON Web Token (JWT) is just three Base64URL-encoded strings joined by dots: header.payload.signature. The header says which algorithm signed the token, the payload holds the claims (who the user is, when the token expires, and so on), and the signature lets a server confirm the token hasn't been changed.
The important thing to understand is that a JWT is encoded, not encrypted. Anyone who has the token can read the header and payload — this decoder simply does that decoding for you. The signature is the only part that needs a secret, and it can only be verified on the server that holds the key.
Because the contents are readable by anyone, you should never put passwords, secrets, or sensitive personal data in a payload.
Examples
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkpvaG4ifQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5ceyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjM0In0Frequently Asked Questions
💡 Tips
- If the payload looks empty, check that you pasted all three dot-separated parts.
- A token that decodes fine can still be expired — check the exp claim separately.