JWT decode

Client

Paste a JSON Web Token to read the header and payload as formatted JSON. The signature is displayed but not verified—never paste production secrets into third-party tools; here, processing stays in your browser.

Privacy: decoding runs in your browser. JWTs often contain account or session data—do not paste production tokens into untrusted sites. This page does not send your token to a server; still, treat pasted secrets as sensitive.
?

Only the header and payload are decoded (Base64url + JSON). The signature is shown as raw text—verifying it requires a secret or public key and is not performed here.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature (raw)

Not verified—paste only tokens you are allowed to inspect.

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Common use cases

  • Inspect JWT payload claims like exp, iss, aud, and sub during authentication debugging.
  • Verify token shape quickly when integrating OAuth or API gateways.
  • Check whether custom claims are present before writing authorization logic.

Common mistakes to avoid

  • Treating decode as verification

    Decoding only reads text. It does not validate signature integrity or trustworthiness.

  • Ignoring expiration and issuer checks

    A readable payload is not enough. Always verify exp, nbf, iss, and aud in your backend logic.

  • Pasting production secrets into random sites

    JWTs can contain sensitive identifiers. Use trusted tools and rotate secrets if exposure is suspected.

FAQ

Does JWT decode also validate the signature?

No. This tool decodes header and payload for inspection only. Signature verification must happen with the correct key in your application backend.

What should I check first after decoding a token?

Start with exp, iss, and aud, then review custom claims required by your access control logic.

Is token text sent to your server?

No. JWT decoding on this page runs in your browser tab.

More tools

Related utilities you can open in another tab—mostly client-side.