Skip to content

JWT Decoder

Decode a JSON Web Token to read its header and payload.

Decoded locally — your token never leaves your device.

How do you decode a JSON Web Token (JWT)?

A JWT is header.payload.signature, each Base64URL-encoded; the decoder Base64URL-decodes the first two parts and parses them as JSON. The payload holds the claims, the header names the signing algorithm, and the signature (not decoded) proves the token was not tampered with. A token whose payload names a subject, user and issue date shows each claim in readable form. Tokens are never uploaded.

Understanding your result

The payload holds the claims, the header names the signing algorithm, and the signature (not decoded here) proves the token was not tampered with.

Formula and method

A JWT is header.payload.signature, each Base64URL-encoded. This tool Base64URL-decodes the first two parts and parses them as JSON.

Assumptions and limitations

This tool decodes but does NOT verify the signature — never trust an unverified token on a server. Verification needs the signing secret or public key.

Worked example

A token whose payload names a subject, a user and an issue date shows each of those claims in a readable form.

How to use this tool

  1. Paste the token (three parts separated by dots).
  2. Read the decoded header and payload.
  3. Check the issued-at and expiry times.

Common mistakes to avoid

  • Treating a decoded payload as trusted. Anyone can read a JWT; only signature verification proves authenticity.
  • Pasting only the payload — the decoder needs the full token.

About the JWT Decoder

Paste a JSON Web Token to instantly see its decoded header and payload, with timestamp claims converted to readable dates. Nothing is sent to a server.

Who should use this tool

Developers debugging authentication who need to inspect a token’s claims quickly.

Related tools

Base64 Encoder / Decoder Encode text to Base64 or decode Base64 back to text. Developer Tools Hash Generator (SHA-256) Generate SHA-256, SHA-1, SHA-384 and SHA-512 hashes from any text. Security and Privacy UUID Generator Generate random version-4 UUIDs (GUIDs). Developer Tools HTTP Status Code Lookup Look up the meaning of any HTTP status code. Developer Tools JSON Formatter Format, validate and minify JSON with clear error reporting. Developer Tools URL Encoder / Decoder Percent-encode text for URLs or decode an encoded URL. Developer Tools

Explore all Developer Tools tools

Frequently asked questions

Is my token sent anywhere?

No. Decoding happens entirely in your browser and the token is never uploaded or stored.

Why is the signature not shown?

The signature is a cryptographic value, not readable data. Verifying it requires the secret or public key, which this client-side tool does not have.

Share this tool

Free to use — copy the link, share it anywhere, or add the tool to your own website.

XWhatsAppFacebookLinkedInEmail
Embed this tool on your site (free)

Copy this code and paste it into any web page — it stays free and always up to date: