JWT Decoder

Paste a JSON Web Token — its header and payload decode instantly.

Advertisement In-content responsive — ad slot

Read what's inside a token

Paste a JSON Web Token and this decoder splits it into its three parts and shows the decoded header and payload as formatted JSON, with any standard time claims (like issued-at and expiry) translated into readable dates. It's the quick way to see exactly what a token is carrying while debugging auth. Everything runs in your browser — the token is never sent anywhere.

The three parts of a JWT

  • Header — describes the token type and the signing algorithm, e.g. HS256.
  • Payload — the claims: who the token is about, who issued it, and when it expires.
  • Signature — a cryptographic seal over the header and payload that proves the token wasn't tampered with.

Decoding is not verifying

The header and payload are only Base64URL-encoded, not encrypted — anyone can read them. Trusting a token means verifying its signature with the secret or public key on the server, which this tool intentionally does not do.

Because a valid token can grant access, treat real ones like passwords: don't share them, and clear the field when you're finished.

Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token with three parts separated by dots: a header, a payload of claims, and a signature. It is widely used to carry authentication and authorization data between a server and a client.

Does decoding a JWT verify it?

No. Decoding only reads the Base64URL-encoded header and payload, which are not encrypted. Verifying a token means checking its signature with the secret or public key, which requires that key and is done on the server.

Is it safe to paste my token here?

The decoding happens entirely in your browser and your token is never sent anywhere. Still, treat real tokens as secrets — a valid token can grant access, so avoid sharing one and clear it when you are done.