JWT Decoder
Decode JSON Web Tokens (JWT) to inspect the header, payload, and signature. Runs entirely in your browser — tokens are never sent to any server.
Last updated:
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "Ada Lovelace",
"iat": 1516239022
}Security note: this tool only decodes the token — it does not verify the signature. Never paste production tokens into any online tool you don’t fully trust.
Paste a JWT above to instantly decode the header and payload. Everything runs in your browser — the token is never sent anywhere.
What is JWT Decoder?
A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe way to transmit claims between two parties. It has three Base64URL-encoded parts joined by dots: `header.payload.signature`. The header names the algorithm, the payload carries the claims, and the signature protects integrity. Decoding is trivial and public; verification requires the signing key.
How to decode a JWT
- 1Copy the JWT — it looks like `eyJhbGciOi....eyJzdWIiOi....signature`.
- 2Paste it into the input area on this page.
- 3The header (algorithm, type) and payload (claims like `sub`, `exp`, `iat`, `iss`) are decoded and shown as JSON.
- 4Check `exp` (expiration) against the current time to see if the token is still valid.
- 5Signature verification requires the secret/key — this tool does not perform it (nor should any online tool you don't fully trust).
Use Cases
Debug 401 responses
When an API returns 401, decode the caller's token here to check for expired `exp`, wrong `aud`, or missing scopes.
Inspect OAuth / OIDC ID tokens
Providers like Auth0, Cognito, and Firebase issue JWTs. Decode them to see user identity, groups, and email verification status.
Verify claim shape
Confirm that your token issuer is including the fields your backend expects — no more guesswork.
Educational / interview prep
Understand what's actually inside a JWT to answer 'how does JWT work' with concrete examples.
Code Examples
Decode a JWT in Node.js (jsonwebtoken)
import jwt from "jsonwebtoken";
// Decode without verifying
const decoded = jwt.decode(token, { complete: true });
// Verify with secret
const verified = jwt.verify(token, secret);Decode a JWT in Python (PyJWT)
import jwt
# Decode without verifying
data = jwt.decode(token, options={"verify_signature": False})
# Verify with secret
data = jwt.decode(token, key=secret, algorithms=["HS256"])Decode a JWT in Go
import "github.com/golang-jwt/jwt/v5"
token, _, err := jwt.NewParser().ParseUnverified(raw, jwt.MapClaims{})Decode a JWT with jq
# Split on '.', base64 -d the payload, pretty-print
echo $TOKEN | cut -d '.' -f2 | base64 -d 2>/dev/null | jq .Key Concepts
- Header
- The first segment. Declares the signing algorithm (`alg`) and token type (`typ`). Base64URL-encoded JSON.
- Payload / Claims
- The second segment. Standard claims: `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expires at, seconds since epoch), `nbf` (not before), `iat` (issued at), `jti` (unique id).
- Signature
- The third segment. HMAC (HS256/384/512) or RSA/ECDSA (RS256/ES256) over `base64url(header) + '.' + base64url(payload)`.
- alg: none attack
- Some libraries once accepted `alg: none` (unsigned) tokens. Modern libraries reject this — always specify allowed algorithms explicitly when verifying.
Tips & Best Practices
- ▸Never trust the payload without verifying the signature — the payload is just Base64, anyone can forge it.
- ▸For sensitive data, remember: JWT is signed, not encrypted. Payload is public. Use JWE if you need encryption.
- ▸Keep tokens short-lived (`exp` 15 min – 1 hour) and pair with a refresh token. Long-lived JWTs are a common security issue.
- ▸Always specify allowed algorithms in verification code — never pass `algorithms=[]` or accept whatever the token header says.
Frequently Asked Questions
Is my JWT sent to any server?
No. All decoding happens locally in your browser using JavaScript. Never paste production tokens into any online tool you do not fully trust — including this one — without understanding the code that runs.
Does this tool verify the signature?
No. Signature verification requires the signing key/secret, which we do not ask for. This tool decodes and displays the header and payload for inspection only.
What are the three parts of a JWT?
A JWT has three Base64URL-encoded parts joined by dots: header (algorithm and token type), payload (claims), and signature (used to verify integrity).
Related Tools
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes of any text online. All hashing happens in your browser using the Web Crypto API.
JWT Generator
Create signed JSON Web Tokens with HMAC-SHA algorithms. Set custom claims, expiration, and secret — everything runs locally in your browser.
HMAC Generator
Compute HMAC signatures with SHA-1, SHA-256, SHA-384, or SHA-512. Used to verify API requests, sign webhooks, and authenticate messages.
JSON Formatter
Format, beautify, and validate JSON online. Free, fast, and 100% local — your data never leaves your browser.
JSON Validator
Validate JSON online with instant error location and structure statistics (depth, keys, node types). 100% local — your JSON never leaves the browser.
JSON → TypeScript
Convert JSON to TypeScript interfaces instantly. Generate strongly-typed TS types from any JSON sample.