JWT Decoder

Decode JSON Web Tokens to view header, payload, and expiry information.

JWT Token

Header

Payload

Options

Pretty JSONTrim input

JWT Decoder

This tool decodes JSON Web Tokens (JWTs) so you can inspect their header and payload in a readable JSON format. It helps you understand what a token contains — such as claims, issuer details, and expiration time — without requiring secret keys or verification.

JWTs are commonly used for authentication and authorization in APIs. While they look opaque at first glance, most JWTs are only Base64-encoded, not encrypted. Decoding them is often the fastest way to debug authentication issues or inspect token contents.

How JWT Decoding Works

A JWT consists of three dot-separated parts:header.payload.signature. The header and payload are Base64URL-encoded JSON objects, while the signature is used for integrity verification.

This tool decodes the header and payload by reversing the Base64URL encoding and parsing the resulting JSON. The signature is not validated, as verification requires access to secret keys or public certificates that are not available client-side.

Only decoding is performed; signatures are not verified
Encrypted JWTs (JWE) cannot be decoded without keys

Inputs and Options Explained

The tool focuses on safe inspection rather than validation. The available options affect readability, not the decoded data.

JWT token — Paste the full token in the format header.payload.signature.
Pretty JSON — Formats decoded header and payload for easier reading.
Trim input — Removes accidental whitespace that can break decoding.

Examples and Edge Cases

If a token is malformed or missing sections, decoding will fail. Tokens with invalid Base64URL encoding or non-JSON payloads cannot be parsed.

Expiration times (exp) are typically expressed as Unix timestamps. A decoded token may appear valid structurally even if it is expired or revoked — this tool does not evaluate token validity.

Who Should Use This Tool

This tool is intended for inspection and debugging, not security enforcement.

Backend and frontend developers debugging auth flows
QA engineers validating token claims in test environments
Security engineers inspecting token structure
Anyone learning how JWTs are structured

Related Concepts

JWT decoding is one part of a broader authentication ecosystem.

JWT claims — Standard fields likeiss,sub,exp, andaud.
JWS vs JWE — Signed tokens versus encrypted tokens.
Token verification — Ensuring integrity using shared secrets or public keys.

Since JWTs rely on Base64URL encoding, inspecting token segments with the Base64 Encoder & Decoder can help debug encoding issues. For improving readability of decoded payloads, the JSON Formatter is often used alongside JWT decoding.

Frequently Asked Questions

No. This tool only decodes the header and payload. Signature verification requires secret keys or certificates.

No. Encrypted JWTs require decryption keys and cannot be decoded client-side without them.

Decoding only shows token contents. A token may be expired, revoked, or have an invalid signature even if it decodes correctly.

No. All decoding happens locally in your browser. Tokens are never uploaded or stored.

Decoding is local, but tokens may contain sensitive data. Avoid sharing or logging decoded tokens in insecure environments.

JWT Decoder

Decode JSON Web Tokens to view header, payload, and expiry information.

JWT Token

Header

Payload

Options

Pretty JSONTrim input

JWT Decoder

How JWT Decoding Works

A JWT consists of three dot-separated parts:header.payload.signature. The header and payload are Base64URL-encoded JSON objects, while the signature is used for integrity verification.

Only decoding is performed; signatures are not verified
Encrypted JWTs (JWE) cannot be decoded without keys

Inputs and Options Explained

The tool focuses on safe inspection rather than validation. The available options affect readability, not the decoded data.

JWT token — Paste the full token in the format header.payload.signature.
Pretty JSON — Formats decoded header and payload for easier reading.
Trim input — Removes accidental whitespace that can break decoding.

Examples and Edge Cases

If a token is malformed or missing sections, decoding will fail. Tokens with invalid Base64URL encoding or non-JSON payloads cannot be parsed.

Expiration times (exp) are typically expressed as Unix timestamps. A decoded token may appear valid structurally even if it is expired or revoked — this tool does not evaluate token validity.

Who Should Use This Tool

This tool is intended for inspection and debugging, not security enforcement.

Backend and frontend developers debugging auth flows
QA engineers validating token claims in test environments
Security engineers inspecting token structure
Anyone learning how JWTs are structured

Related Concepts

JWT decoding is one part of a broader authentication ecosystem.

JWT claims — Standard fields likeiss,sub,exp, andaud.
JWS vs JWE — Signed tokens versus encrypted tokens.
Token verification — Ensuring integrity using shared secrets or public keys.

Frequently Asked Questions

No. This tool only decodes the header and payload. Signature verification requires secret keys or certificates.

No. Encrypted JWTs require decryption keys and cannot be decoded client-side without them.

Decoding only shows token contents. A token may be expired, revoked, or have an invalid signature even if it decodes correctly.

No. All decoding happens locally in your browser. Tokens are never uploaded or stored.

Decoding is local, but tokens may contain sensitive data. Avoid sharing or logging decoded tokens in insecure environments.