JWT Decoder

Paste a JSON Web Token to inspect its header and payload. Nothing leaves your browser.

About JWTs

A JSON Web Token (JWT) is a compact, URL-safe credential format defined by RFC 7519. It encodes a small JSON payload of claims and a signature so that a server can verify the token was issued by a trusted party.

A JWT consists of three Base64URL-encoded segments joined with dots:

  • Header: describes the signing algorithm (e.g. HS256, RS256).
  • Payload: the claims. Common ones include iss (issuer), sub (subject), exp (expiry), iat (issued at), and aud (audience).
  • Signature: the bytes that prove the token has not been tampered with. Verifying this requires the issuer's secret or public key, which this tool does not have, so we only display the segment.

Important: decoding is not verification

This tool decodes the token so you can see what is inside. It does not verify the signature. A valid-looking decoded JWT may still be forged. Always verify tokens server-side with the correct algorithm and key before trusting their claims.

Privacy

The token is parsed entirely in your browser. The header, payload, and signature are never transmitted anywhere, so you can safely paste production access tokens for debugging.

Frequently asked questions

Can this tool verify the signature?
No. Signature verification requires the issuer's secret or public key, which should never leave your servers. This tool intentionally only decodes the token so it can stay fully client-side.
What does the exp claim mean?
It is the token's expiration time as a Unix timestamp (seconds since epoch). The tool shows it as a human-readable date and highlights whether the token is currently expired.
Why does my payload have base64 garbage instead of JSON?
JWT segments use URL-safe Base64 without padding. Make sure you pasted the entire token (three dot-separated segments) and that there are no surrounding quotes or whitespace.
Is JWT a good place to store secrets?
No. The payload is only encoded, not encrypted, so anyone with the token can read it. Use JWE (encrypted JWTs) or simply do not put sensitive data in the claims.