JWT Decoder

Decode and inspect JWT tokens (header and payload).

Security

About JWT Decoder

A JSON Web Token consists of three base64url-encoded parts separated by dots: the header (specifying the algorithm and token type), the payload (containing claims such as user ID, expiration time, and custom data), and the signature (used by the server to verify integrity). This tool decodes the header and payload so you can read them as formatted JSON. It does not verify the cryptographic signature — for production verification, use your backend or a dedicated crypto library. If you need to create tokens for testing, try our JWT Generator.

How to Use JWT Decoder

  1. Paste your complete JWT string into the input field. The token should have three parts separated by dots (header.payload.signature).
  2. Click Decode to parse the token. The decoded header and payload appear instantly as formatted JSON.
  3. Use the Copy Header or Copy Payload buttons to copy either section to your clipboard for further use.
  4. Review the claims in the payload — look for fields like exp (expiration), iat (issued at), sub (subject), and any custom claims.

Key Features

  • Instant decoding — Paste a JWT and see the header and payload immediately, no waiting or page reloads.
  • 100% client-side — All decoding happens in your browser using JavaScript. Your token is never sent to any server.
  • Formatted JSON output — Results are displayed as pretty-printed, indented JSON for easy reading.
  • One-click copy — Copy the decoded header or payload with a single button click.
  • No installation required — Works in any modern browser without extensions, downloads, or sign-ups.

When to Use This Tool

  • Debugging API authentication issues by inspecting token claims and expiration times
  • Verifying that a JWT payload contains the expected user ID, roles, or permissions
  • Checking the algorithm specified in the header (e.g., HS256, RS256)
  • Quickly reading token data during development without writing decode logic
  • Learning about JWT structure for educational purposes

Technical Details

The decoder splits the JWT string on the dot separator, then applies base64url decoding to the first two segments (header and payload). The decoded bytes are parsed as JSON and displayed with indentation. Base64url differs from standard Base64 by replacing + with - and / with _, and omitting padding characters. The third segment (signature) is not decoded because it is a binary hash that requires the secret key or public key for verification. This tool supports tokens signed with any algorithm (HS256, RS256, ES256, etc.) since it only reads — it does not validate.

Conclusion

The JWT Decoder is an essential tool for any developer working with token-based authentication. It lets you quickly inspect claims, debug issues, and understand token contents — all without exposing your data to external services. Pair it with our JWT Generator for a complete JWT development workflow.

Frequently Asked Questions

What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token format used to transmit data between parties. It consists of three base64url-encoded parts — header, payload, and signature — separated by dots. JWTs are commonly used for API authentication and session management.
Is it safe to decode my JWT here?
Yes. This tool decodes tokens entirely in your browser — nothing is sent to a server. However, avoid pasting highly sensitive tokens on shared or public computers.
Does this tool verify the JWT signature?
No. This tool only decodes the header and payload for inspection. Signature verification requires the secret key or public key and should be done on your server or with a dedicated cryptographic library.
Can I decode tokens signed with any algorithm?
Yes. Since the decoder only reads the base64url-encoded header and payload, it works with any signing algorithm (HS256, RS256, ES256, PS256, etc.). The algorithm field is visible in the decoded header.