DevKits

JWT Decoder

Decode JSON Web Tokens (JWT) to inspect the header, payload, and signature. Runs entirely in your browser — tokens are never sent to any server.

Last updated:

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "sub": "1234567890",
  "name": "Ada Lovelace",
  "iat": 1516239022
}
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Security note: this tool only decodes the token — it does not verify the signature. Never paste production tokens into any online tool you don’t fully trust.

Paste a JWT above to instantly decode the header and payload. Everything runs in your browser — the token is never sent anywhere.

What is JWT Decoder?

A JSON Web Token (JWT, RFC 7519) is a compact, URL-safe way to transmit claims between two parties. It has three Base64URL-encoded parts joined by dots: `header.payload.signature`. The header names the algorithm, the payload carries the claims, and the signature protects integrity. Decoding is trivial and public; verification requires the signing key.

How to decode a JWT

  1. 1Copy the JWT — it looks like `eyJhbGciOi....eyJzdWIiOi....signature`.
  2. 2Paste it into the input area on this page.
  3. 3The header (algorithm, type) and payload (claims like `sub`, `exp`, `iat`, `iss`) are decoded and shown as JSON.
  4. 4Check `exp` (expiration) against the current time to see if the token is still valid.
  5. 5Signature verification requires the secret/key — this tool does not perform it (nor should any online tool you don't fully trust).

Use Cases

Debug 401 responses

When an API returns 401, decode the caller's token here to check for expired `exp`, wrong `aud`, or missing scopes.

Inspect OAuth / OIDC ID tokens

Providers like Auth0, Cognito, and Firebase issue JWTs. Decode them to see user identity, groups, and email verification status.

Verify claim shape

Confirm that your token issuer is including the fields your backend expects — no more guesswork.

Educational / interview prep

Understand what's actually inside a JWT to answer 'how does JWT work' with concrete examples.

Code Examples

Decode a JWT in Node.js (jsonwebtoken)

import jwt from "jsonwebtoken";

// Decode without verifying
const decoded = jwt.decode(token, { complete: true });
// Verify with secret
const verified = jwt.verify(token, secret);

Decode a JWT in Python (PyJWT)

import jwt

# Decode without verifying
data = jwt.decode(token, options={"verify_signature": False})

# Verify with secret
data = jwt.decode(token, key=secret, algorithms=["HS256"])

Decode a JWT in Go

import "github.com/golang-jwt/jwt/v5"

token, _, err := jwt.NewParser().ParseUnverified(raw, jwt.MapClaims{})

Decode a JWT with jq

# Split on '.', base64 -d the payload, pretty-print
echo $TOKEN | cut -d '.' -f2 | base64 -d 2>/dev/null | jq .

Key Concepts

Header
The first segment. Declares the signing algorithm (`alg`) and token type (`typ`). Base64URL-encoded JSON.
Payload / Claims
The second segment. Standard claims: `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expires at, seconds since epoch), `nbf` (not before), `iat` (issued at), `jti` (unique id).
Signature
The third segment. HMAC (HS256/384/512) or RSA/ECDSA (RS256/ES256) over `base64url(header) + '.' + base64url(payload)`.
alg: none attack
Some libraries once accepted `alg: none` (unsigned) tokens. Modern libraries reject this — always specify allowed algorithms explicitly when verifying.

Tips & Best Practices

  • Never trust the payload without verifying the signature — the payload is just Base64, anyone can forge it.
  • For sensitive data, remember: JWT is signed, not encrypted. Payload is public. Use JWE if you need encryption.
  • Keep tokens short-lived (`exp` 15 min – 1 hour) and pair with a refresh token. Long-lived JWTs are a common security issue.
  • Always specify allowed algorithms in verification code — never pass `algorithms=[]` or accept whatever the token header says.

Frequently Asked Questions

Is my JWT sent to any server?

No. All decoding happens locally in your browser using JavaScript. Never paste production tokens into any online tool you do not fully trust — including this one — without understanding the code that runs.

Does this tool verify the signature?

No. Signature verification requires the signing key/secret, which we do not ask for. This tool decodes and displays the header and payload for inspection only.

What are the three parts of a JWT?

A JWT has three Base64URL-encoded parts joined by dots: header (algorithm and token type), payload (claims), and signature (used to verify integrity).

Related Tools