JWT decode
ClientPaste a JSON Web Token to read the header and payload as formatted JSON. The signature is displayed but not verified—never paste production secrets into third-party tools; here, processing stays in your browser.
Decode for debugging, verify in your backend
JWTs split into header, payload, and signature segments. Decoding shows claims such as exp, iss, and aud in plain JSON—useful when you compare tokens from auth servers and API gateways.
Signature verification requires the correct key material and algorithms in your service. To sign or verify HS256-family HMAC tokens locally, use JWT sign & verify. For X.509 certificate fields (not JWTs), use the PEM / X.509 viewer for PEM-encoded certificates only.
Using this page
Paste the entire token (three Base64url segments separated by dots). The workspace pretty-prints the header and payload so you can read exp, iat, scopes, and custom claims. To turn epoch seconds into a calendar instant, open the Unix timestamp converter. JWT segments are Base64url—if you are debugging raw bytes, the Encoding workspace covers standard Base64 and URL-safe text.
?
Only the header and payload are decoded (Base64url + JSON). The signature is shown as raw text—verifying it requires a secret or public key and is not performed here.
Header
{
"alg": "HS256",
"typ": "JWT"
}Payload
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}Signature (raw)
Not verified—paste only tokens you are allowed to inspect.
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Nearby workflows on Toolcore
- Base64url — when JWT segments or URL-safe alphabets forbid + and /.
- Unix timestamp — for exp and iat claims beside decoded JSON.
Common use cases
- Inspect JWT payload claims like exp, iss, aud, and sub during authentication debugging.
- Verify token shape quickly when integrating OAuth or API gateways.
- Check whether custom claims are present before writing authorization logic.
Common mistakes to avoid
Treating decode as verification
Decoding only reads text. It does not validate signature integrity or trustworthiness.
Ignoring expiration and issuer checks
A readable payload is not enough. Always verify exp, nbf, iss, and aud in your backend logic.
Pasting production secrets into random sites
JWTs can contain sensitive identifiers. Use trusted tools and rotate secrets if exposure is suspected.
FAQ
Does JWT decode also validate the signature?
No. This tool decodes header and payload for inspection only. Signature verification must happen with the correct key in your application backend.
What should I check first after decoding a token?
Start with exp, iss, and aud, then review custom claims required by your access control logic.
Is token text sent to your server?
No. JWT decoding on this page runs in your browser tab.
Why do the segments look like garbled text before decode?
JWT header and payload are JSON objects encoded with Base64url (not encrypted). Decoding reveals the JSON; the signature segment is binary that should be verified with the issuer’s key in your backend—not decoded for “secrets.”
Common search terms
Phrases people search for that match this tool. See the full long-tail keyword index.
- jwt decode online
- decode jwt token in browser
- view jwt header payload
More tools
Related utilities you can open in another tab—mostly client-side.
JWT sign & verify
ClientSign HS256/384/512 JWTs or verify HMAC signatures in the browser—pair with JWT decode for claims.
JWT verify (RSA / ECDSA)
ClientVerify RS256/384/512 or ES256/384/512 JWTs with a PEM public key in the browser—Web Crypto only.
OAuth PKCE generator
ClientRFC 7636 code_verifier plus S256 code_challenge (SHA-256, base64url)—Web Crypto in your tab, no upload.
HMAC (SHA-256 & more)
ClientHMAC-SHA-256/384/512/1 in the browser—hex or Base64 for webhooks, signing, and API docs.