JWT Decoder
Decode any JSON Web Token (JWT) instantly. View the header, payload, and signature. Runs in your browser — your token never leaves your device. Free, no signup.
About JWT Decoder
A JSON Web Token is just a JSON object that’s been Base64URL-encoded and signed. Decoding it doesn’t require the signing key — anyone holding the token can read what’s inside. This tool decodes the structure so you can see the header, payload, and signature without writing any code or pasting your token into someone else’s server.
Everything runs in your browser. Your token is decoded with the native atob() function and JSON.parse() — no network call, no library upload, no server log. If the page is loaded, the tool works offline.
How JWTs are structured
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.SflKxwRJSMeKKF2QT4f...
└──────── header ────────┘ └──── payload ────┘ └─── signature ───┘
- Header — typically
{"alg":"HS256","typ":"JWT"}. Says which signing algorithm was used. - Payload — the JSON object with claims. Standard claims include
iss(issuer),sub(subject),aud(audience),exp(expiry),iat(issued-at),nbf(not-before),jti(token ID). - Signature — opaque bytes that prove the token wasn’t tampered with. You can decode it as Base64URL but the result is binary; it’s only useful for verification (which requires the signing key).
How to use
- Paste your JWT into the textarea. Or click Sample to see a working example.
- The tool decodes immediately. Header and payload appear as syntax-highlighted JSON; signature appears as the raw Base64URL string.
- Standard claims (iss, sub, exp, etc.) are surfaced as chips below the cards, with timestamps converted to ISO format. Expired tokens get a red
expiredflag. - Click any Copy button to grab that section.
What this tool does NOT do
- It does not verify the signature. That requires the signing secret (for HMAC) or the issuer’s public key (for RSA/EC). Verification belongs server-side, not in a browser tool.
- It does not modify the token. The decoded JSON is read-only. If you want to mint a test token, use a server-side library — see the FAQ for recommendations.
- It does not store anything. Your token is decoded in memory and discarded when you close the tab.
Security note
Don’t paste production access tokens here from a shared computer. The token never leaves your device, but browser history, autofill, and screen-sharing apps still see it. For debugging real production traffic, copy the token to a private environment first.
Free, no signup, runs entirely in your browser.
Frequently asked questions
A JSON Web Token (JWT) is a compact, URL-safe way to represent a signed JSON object. It's three Base64URL-encoded parts separated by dots: header.payload.signature. The header says which algorithm was used to sign it, the payload carries the actual claims (user ID, expiry, scope, etc.), and the signature proves the token wasn't tampered with by someone who doesn't have the signing key.
No — and that's deliberate. Verifying a signature requires the signing key (HMAC secret or public key), which should never leave your server. This tool only decodes the structure so you can read what's in it. Treat the payload as 'asserted, not verified' — useful for debugging, not for trust decisions.
No. The decoder runs entirely in your browser using built-in atob() and JSON.parse(). Your token never leaves your device. The tool works offline once the page has loaded. That said: do not paste production access tokens from a shared computer — anyone with access to the browser history could retrieve them.
The seven standard registered claims defined in RFC 7519 — iss (issuer), sub (subject), aud (audience), exp (expiry), nbf (not-before), iat (issued-at), and jti (JWT ID). Timestamps are converted to ISO format for readability. The 'exp' chip turns red if the token is expired.