Back

JWT Decoder

Decode JWT header and payload (no signature verification).

Free • Unlimited (Beta)

Limits will be introduced later; early users will get benefits.

JWT Token Decoder JSON Security

Related tools

UUID Generator

Generate UUID v4 instantly.

UUID Generator Security
Open
JSON Formatter

Format and validate JSON.

JSON Formatter Validation
Open
Base64 Encode/Decode

Encode or decode Base64 quickly.

Base64 Encode Decode Converter
Open

About the JWT Decoder

Overview

A JWT (JSON Web Token) has three parts: header, payload, and signature, each base64url-encoded and separated by dots. This tool decodes the header and payload so you can inspect claims (e.g. exp, sub) without verifying the signature. Decoding is read-only: we do not validate the signature or check keys, so use it for debugging or inspection only, not for security decisions. JWTs are often used for API auth and sessions. For hashing data use the Hash Generator; for encoding/decoding raw Base64 use the Base64 tool.

When to use it

Use the decoder when you receive a JWT from an API or app and want to see what is inside (claims, expiration, issuer). Use it when debugging auth flows or logging. Do not use it to decide whether to trust a token—that requires signature verification with the correct key. For creating or signing JWTs use a proper library. For general Base64 strings (not JWT) use the Base64 tool. For one-way hashes use the Hash Generator.

How to use it

Paste the full JWT (header.payload.signature) into the input area. Click Decode. The tool shows the header and payload as pretty-printed JSON in tabs, and the signature as raw length and base64url string. Use Copy Header JSON or Copy Payload JSON to copy the decoded parts. If the token is malformed (wrong base64, invalid JSON), an error message appears. Clear resets the form. We do not store or log the token; decoding runs in your session.

Tips

JWTs are not encrypted; anyone can decode the header and payload. Do not put sensitive data in the payload without encryption. Check the exp (expiration) claim to see if the token is still valid. The signature is a hash of header and payload; verification needs the secret or public key. For raw base64url decoding of a single part, you can use the Base64 tool after replacing - with + and _ with /. The Hash Generator is for hashing arbitrary data, not for JWT signatures.

Common mistakes

Pasting only part of the JWT (e.g. missing the signature) can cause decode errors. Assuming "decoded" means "verified" is wrong—this tool does not verify. Trusting payload content without verification is insecure. Do not paste production tokens into shared or unsecure environments. For checksums of files or text use the Hash Generator; for encoding/decoding non-JWT Base64 use the Base64 tool.

↑ Back to top

FAQ

A compact token with header, payload, and signature (each base64url). Used for API auth and sessions.

No. This tool only decodes. Verification requires the secret or public key.

No. Decoding runs in your session; we do not store or log tokens.

Invalid base64url or JSON in header/payload. Ensure the full token (three parts) is pasted.

JWT has three base64url parts. For a single Base64 string use the Base64 tool.