JWT Decoder
Paste a JWT to inspect its header and payload. Decoded locally.
Decoding runs locally, but JWTs often carry sensitive claims — avoid pasting production tokens. The signature is not verified; never trust a token's contents without server-side verification.
About JWT Decoder
JWT Decoder breaks a JSON Web Token into its three parts — header, payload, and signature — and shows the decoded header and payload as readable JSON. It is the fastest way to see what is actually inside the token your auth provider hands your app: the algorithm, the issuer, the subject, the expiry, and any custom claims.
A JWT is three Base64url-encoded segments joined by dots: header.payload.signature. Worked example: a token starting eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MDAwMDAwMDB9.<sig> decodes to a header {alg:"HS256", typ:"JWT"} and a payload {sub:"123", exp:1700000000}. The decoded payload is pretty-printed as JSON so all claims — including standard ones like exp, iat, and nbf as their raw Unix timestamps — are visible at a glance.
One important limit: this tool decodes, it does not verify. Verification requires the signing key — the shared secret for HS256, or the public key for RS256 / ES256 — and must run server-side anyway, because the whole point is to check the signature before trusting the claims. Treat the decoded payload as untrusted input until your backend has verified it. Encrypted JWTs (JWE) are not supported; only signed JWS tokens are decoded.
Decoding happens entirely in your browser and nothing is sent anywhere. That said, JWTs frequently carry user IDs, scopes, and other sensitive claims, so avoid pasting active production tokens into any web tool, including this one — use a non-production token if you can.