Read what's inside a token
Paste a JSON Web Token and this decoder splits it into its three parts and shows the decoded header and payload as formatted JSON, with any standard time claims (like issued-at and expiry) translated into readable dates. It's the quick way to see exactly what a token is carrying while debugging auth. Everything runs in your browser — the token is never sent anywhere.
The three parts of a JWT
- Header — describes the token type and the signing algorithm, e.g. HS256.
- Payload — the claims: who the token is about, who issued it, and when it expires.
- Signature — a cryptographic seal over the header and payload that proves the token wasn't tampered with.
Decoding is not verifying
Because a valid token can grant access, treat real ones like passwords: don't share them, and clear the field when you're finished.
Frequently asked questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token with three parts separated by dots: a header, a payload of claims, and a signature. It is widely used to carry authentication and authorization data between a server and a client.
Does decoding a JWT verify it?
No. Decoding only reads the Base64URL-encoded header and payload, which are not encrypted. Verifying a token means checking its signature with the secret or public key, which requires that key and is done on the server.
Is it safe to paste my token here?
The decoding happens entirely in your browser and your token is never sent anywhere. Still, treat real tokens as secrets — a valid token can grant access, so avoid sharing one and clear it when you are done.