JWT Decoder — Decode & Inspect JSON Web Tokens
This free JWT decoder reads and inspects JSON Web Tokens, showing the header, payload, and signature of any token. A JWT (defined in RFC 7519) is three Base64URL segments joined by dots; the header and payload are only encoded, not encrypted, so anyone can read their claims — which is why you must never store secrets in a token. It surfaces standard claims like exp, iat, iss, and aud. This decoder runs entirely in your browser, so tokens you paste never leave your device.
How JWT decoding works
A JSON Web Token (JWT) consists of three Base64url-encoded parts separated by dots: Header.Payload.Signature. The header contains the algorithm type (e.g., HS256, RS256). The payload contains claims — standard fields like sub (subject), iat (issued at), exp (expiry), and aud (audience), plus any custom claims added by the application. The signature is a cryptographic hash of the header and payload.
This tool decodes the header and payload by Base64url-decoding each segment and parsing the resulting JSON. The expiry timestamp (exp) is displayed as a human-readable date. Important: decoding a JWT does not verify its authenticity — the signature is not validated here, as that requires the secret key or public key from the server. A decoded JWT shows you what claims it contains; only server-side signature verification confirms those claims are trustworthy. Never trust decoded JWT claims for access control in a browser.