Free JWT decoder · header and payload inspection · browser-based
JWT Decoder Online
Paste a JSON Web Token to decode its header and payload into readable JSON. Use this for debugging claims such as exp, iat, iss, aud, and sub, while remembering that decoding does not verify the signature.
JWT input
Paste a token with three dot-separated parts: header.payload.signature.
Runs in your browser for normal use. Avoid pasting live access tokens, refresh tokens, private logs, customer data, or production credentials into any online utility.
Decoded JWT
Review decoded header and payload JSON. Signature status is informational only.
Payload JSON
Ready. Paste a JWT to decode its visible contents.
WaitingToken format
—Algorithm
0Payload claims
Not verifiedSignature
Security boundary
Decoding shows the token contents; it does not verify that the token is trusted, unmodified, unexpired, or accepted by your application. JWT payloads are Base64URL-decoded and are not encrypted by default.
Related developer and security tools
Inspect encoded data, format JSON, generate hashes, and work with related browser-based utilities.
JSON FormatterFormat decoded JWT header or payload JSON for readable debugging.Open toolBase64 Encoder DecoderEncode or decode Base64 text and understand encoding boundaries.Open toolHash GeneratorGenerate hashes for text values directly in your browser.Open toolURL Encoder DecoderEncode and decode URL-safe text for web development workflows.Open toolUUID GeneratorGenerate UUIDs for tests, identifiers, and development data.Open toolPassword GeneratorCreate strong random passwords for safer accounts and test data.Open tool
How to use the JWT Decoder
Use this tool for safe inspection of test tokens, redacted examples, and authentication debugging data.
1. Paste a JWT
Enter a token with header, payload, and signature segments separated by dots.
2. Decode visible content
Click Decode JWT to Base64URL-decode the header and payload into formatted JSON.
3. Review claims carefully
Inspect claims such as exp, iat, iss, aud, sub, roles, or scopes, but do not trust them until your backend verifies the token.
JWT decode vs verify
A decoder and a verifier answer different questions. Keep that boundary clear when debugging authentication flows.
Decode means inspect
Decoding reads the Base64URL-encoded header and payload so you can see token metadata and claims.
Verify means trust check
Verification checks the signature with the correct secret or public key and should happen in trusted server-side code.
Payload is not encrypted by default
JWT payload data is usually readable by anyone who has the token, so avoid storing secrets inside normal JWT payloads.
Common JWT debugging use cases
JWT decoding is useful for development and troubleshooting, especially when you use redacted or non-production examples.
Inspect auth claims
Check sub, iss, aud, scopes, roles, and custom claims when debugging login or API authorization flows.
Check timestamp claims
Review exp, iat, and nbf values to understand expiration, issued-at time, and not-before boundaries.
Review header metadata
Look at alg, typ, kid, and related header values before confirming signature behavior in your backend.
JWT Decoder FAQ
Does this JWT decoder verify signatures?
No. This tool only decodes the visible header and payload. Signature verification requires the correct secret or public key and must happen in trusted backend code.
Is JWT payload data encrypted?
Not by default. Normal JWT payloads are Base64URL-encoded, which means they can usually be decoded and read by anyone who has the token.
What does an invalid token error mean?
It usually means the token does not have three dot-separated segments, one segment is not valid Base64URL data, or the decoded header or payload is not valid JSON.
Should I paste real access tokens here?
Avoid pasting live access tokens, refresh tokens, private logs, customer data, or production credentials into any online utility. Prefer test tokens or redacted examples.