JWT Decoder
Paste a JSON Web Token below to decode its header and payload into readable JSON. This tool only decodes the token — it does not verify the signature, since that requires the secret or public key.
How to use
- 1
Paste your JWT
Copy the full token, including all three dot-separated segments.
- 2
View the header and payload
Both decode instantly into formatted JSON.
- 3
Check the signature segment
The raw signature is shown for reference — it can't be verified here.
Examples
- A token with payload {"sub":"123","name":"Jane"} decodes to readable JSON instantly
- An expired token still decodes — check the 'exp' claim to confirm expiry yourself
Frequently asked questions
Does this tool verify the JWT's signature?
No. Verifying a signature requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA), which should never be pasted into a browser tool. This decoder only base64url-decodes the header and payload so you can inspect the claims.
Why does a JWT have three parts?
A JWT consists of a header, payload, and signature, each base64url-encoded and joined by dots: header.payload.signature. The header describes the signing algorithm, the payload holds the claims, and the signature proves the token wasn't tampered with.
What are 'claims'?
Claims are the key-value pairs inside the payload, such as sub (subject), exp (expiry), and iat (issued at). They carry the actual data the token is asserting.
Is my token sent anywhere?
No. Decoding happens entirely in your browser using built-in base64 decoding. Nothing is sent to a server or stored.