JWT Decoder

code

Decode JWT (JSON Web Token) to view the header and payload contents. This tool decodes the Base64-encoded parts of a JWT and displays them in a readable JSON format. Note: This tool does NOT verify the signature - it only decodes the token for inspection purposes.

JWT Decoder
Decode and inspect JWT (JSON Web Token) header and payload
Characters: 0Words: 0Sentences: 0Lines: 0
Characters: 0Words: 0Sentences: 0Lines: 0

JWT Decoder - View Token Payload & Header

What is a JWT decoder?

A JWT decoder parses JSON Web Tokens and displays the header and payload as readable JSON. JWTs encode user claims, permissions, and metadata for APIs and authentication systems. Use this tool to inspect tokens during development or debugging without installing libraries.

How to use the JWT decoder

  1. Paste the token: Enter the full JWT string (three base64url-encoded segments separated by dots).
  2. Decode: Click Decode to view the header and payload.
  3. Review claims: Check expiration, issuer, and custom claims in plain JSON.

Why use this tool?

  • Quick inspection: See what's inside a token without writing code.
  • Debug auth issues: Verify claims like exp, iat, and sub match expectations.
  • Learn JWT structure: Understand header algorithms and payload anatomy.

Use case 1: Auth debugging

Decode access tokens to confirm the user ID, roles, and expiration are correct before calling APIs.

Use case 2: API integration

Inspect third-party tokens to understand what claims they provide and how to validate them.

Use case 3: Security review

Check token headers for algorithm confusion attacks (e.g., alg: "none") during audits.

Examples

Basic example

Input: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIn0.Gfx6VO9tcxwk6xqx9yYzSfebfeakZp5JYIgP_edcw_A
Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
  "sub": "1234567890",
  "name": "John Doe"
}

Advanced example

Token with expiration and custom claims: Payload shows iat, exp, and any app-specific fields like roles or tenant_id.

Common errors

Invalid token format

JWTs have exactly three segments. If you see an error, check that the full token (including all three parts) was pasted.

Expired tokens

A decoded token may have an exp claim in the past. Decode still works, but the token is no longer valid for API calls.

Tips and proven approaches

  • Decoding reveals payload content but doesn't verify the signature; verification requires the secret or public key.
  • For tokens with long payloads, format the JSON using the JSON formatter.
  • Check exp timestamps by converting epoch seconds to dates in your timezone.

Related tools

Privacy and security

Decoding happens locally in your browser. No tokens are uploaded, so session keys and user data stay private. Avoid pasting production tokens with sensitive claims in shared environments.

Frequently Asked Questions
JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: header, payload, and signature, separated by dots.
No, this tool only decodes the JWT to display its contents. It does not verify the signature. Never trust the contents of an unverified JWT in production applications.
Yes, all decoding happens in your browser. The JWT is never sent to any server. However, be cautious about decoding JWTs containing sensitive information on shared computers.
Common errors include: invalid format (must have 3 parts separated by dots), invalid Base64 encoding, or malformed JSON in the header or payload.

Related Tools

6 more

More tools in code

Base64 Encoder/Decoder

Encode text to Base64 or decode Base64 to text

code
Try it

URL Encoder/Decoder

Encode text for URLs or decode URL-encoded text

code
Try it

JSON Formatter

Format and beautify JSON with proper indentation

code
Try it

JSON Minifier

Remove all whitespace from JSON to minimize file size

code
Try it

Slugify URL Generator

Convert text to URL-safe slugs

code
Try it

MD5 Hash Generator

Generate MD5 hash from text

code
Try it