JWT Decoder

Decode the header and payload of a JSON Web Token (no signature verification)

Signature is shown raw — this tool does not verify it. To verify authenticity, use a server with the secret/public key.

What is a JWT?

A JSON Web Token is three Base64URL-encoded parts separated by dots: a header (which algorithm is used), a payload (the claims — typically user ID, expiration, scopes), and a signature. The header and payload are NOT encrypted, just encoded — anyone with the token can read them. The signature proves the token wasn't tampered with.

The decoder splits the three parts, Base64URL-decodes the first two, and pretty-prints the JSON. It does NOT verify the signature — that requires the issuing server's secret or public key. Don't paste production tokens into untrusted decoders; this one is browser-only and never uploads, but as a habit, use tokens from your own dev environment for testing.

Examples

Decoding a sample token
Input
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyXzEiLCJleHAiOjE3MDAwMDAwMDB9.signature
Output
Header:
{"alg": "HS256"}

Payload:
{"sub": "user_1", "exp": 1700000000}

Frequently asked questions

Does the decoder verify the signature?

No — verification requires the secret (HS256) or public key (RS256) used to sign the token. The decoder only shows you what's inside; trust comes from server-side verification.

Are JWT contents encrypted?

No, just Base64-encoded. Anyone with the token can read the claims. Use JWE (encrypted JWTs) if claims need to be confidential.

What does the `exp` claim mean?

Unix timestamp at which the token expires. Tokens past their `exp` should be rejected by the server. The decoder flags expired tokens for you.

Can I decode a malformed token?

If a part fails to Base64-decode or parse as JSON, the decoder shows an error pointing at the offending part.

Is my token uploaded?

No. Decoding is pure JavaScript — your token stays on your device.