JWT Decoder
Paste a JSON Web Token to see its header and payload decoded and pretty-printed — decoding only, no signature verification, all in your browser.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "Jane Doe",
"iat": 1700000000
}This decodes the token only. It does notverify the signature, so it can't tell you whether the token is authentic or has been tampered with — never trust a decoded payload for authentication.
How it works
A JWT is three chunks joined by dots: a header, a payload, and a signature. The first two are just JSON that's been base64url-encoded, so anyone holding the token can read them — they aren't encrypted, only encoded.
This tool splits the token on the dots, base64url-decodes the first two parts, parses each as JSON, and prints them with indentation so the claims are easy to scan. The header usually tells you the signing algorithm; the payload carries claims like the subject, an issued-at time, and expiry.
The third segment, the signature, is what proves a token hasn't been altered. We deliberately don't touch it. That means a decoded payload here is not proof of anything — treat it as a peek at the contents, never as authentication.
Frequently asked questions
Does this verify the signature?
No. It decodes the header and payload only. Checking the signature needs the secret or public key, which stays on your server — so never trust a token just because it decoded cleanly here.
Is my token sent anywhere?
No. The decoding happens in your browser with JavaScript. Nothing is uploaded, which matters because tokens often carry sensitive claims.
Why did my token fail to decode?
Usually the token was truncated or isn't a real JWT. It needs three dot-separated parts where the first two are base64url-encoded JSON. If either part is malformed, you'll get a warning instead of a crash.