JWT decoder
View JWT header and payload as JSON (no signature verify).
About this tool
Decode a JSON Web Token to inspect its header and payload without sending it anywhere. The safe way to see what claims a token carries.
Why use it
- Reveals the header and payload in readable JSON.
- Shows standard claims like expiry and issuer.
- Decoding stays in your browser — your token is never transmitted.
Common use cases
- Debug an auth flow by checking a token's claims.
- Confirm a token's expiry time while testing.
- Inspect which scopes a token grants.
Tips
- Decoding is not verification — it does not check the signature.
- Never paste production tokens into tools you do not trust; this one runs locally.
How to use
- Paste JWT.
- View header and payload.
- Signature not verified.
FAQ
- What does the JWT decoder show?
- It decodes the header and payload so you can read the claims inside a JSON Web Token.
- Is my token sent to a server?
- No. Decoding happens in your browser, so sensitive tokens stay on your device.
- Does it verify the signature?
- It decodes and displays the contents; it does not validate the signature, which needs the secret key.
- Can I see when a token expires?
- Yes, timestamp claims like exp and iat are shown so you can check validity.
- Is the payload encrypted?
- No. A standard JWT payload is only Base64-encoded, so never put secrets in it.
- Why are there three parts?
- A JWT is header.payload.signature, each Base64url-encoded and separated by dots.