JWT Decoder
Decode a JWT's header and payload (signature not verified).
Results appear as you type
Everything runs locally in your browser โ your input never leaves this page.
About the JWT Decoder
The JWT Decoder splits a JSON Web Token into its three parts and decodes the header and payload into readable JSON so you can inspect claims like issuer, subject, expiry and custom data. It is ideal for debugging authentication flows and confirming what a token actually contains. Note that this tool decodes only; it does not verify the cryptographic signature, and all decoding happens privately in your browser.
How to use
- Paste your JWT (the three dot-separated segments) into the input.
- View the decoded header showing the algorithm and token type.
- Inspect the payload to read its claims, including any expiry timestamp.
- Use the decoded values to debug your authentication setup.
Frequently asked questions
- Does this tool verify the JWT signature?
- No. It only decodes the header and payload so you can read them. Signature verification requires the secret or public key and should be done by your backend, never trusted from a decoder.
- Is it safe to paste a real token here?
- Decoding runs entirely in your browser, so the token is not sent anywhere. Still, treat live access tokens carefully and avoid sharing decoded output that contains sensitive claims.
- How do I tell if a token is expired?
- Check the exp claim in the payload, which is a Unix timestamp. If that time is in the past, the token is expired even though the decoder will still display its contents.