JWT Decoder

The JWT Decoder parses a JSON Web Token (JWT) and displays its three components — header, payload, and signature — in a human-readable format. It verifies the token's structure and decodes the Base64url-encoded parts without requiring the signing secret.

JWTs are the standard authentication token format used by OAuth 2.0, OpenID Connect, and most modern APIs. They carry claims (user ID, roles, expiry time, issuer) in a self-contained, tamper-evident format. Understanding what's inside a JWT is essential for debugging authentication issues, inspecting API responses, and verifying token contents.

How to use it: paste a JWT (the three-part dot-separated string: header.payload.signature). The decoder splits the parts, Base64url-decodes the header and payload, and displays them as pretty-printed JSON. The expiry time (exp claim) is shown as a human-readable date. The issued-at time (iat) and not-before time (nbf) are also displayed in local time.

JWT anatomy: the header identifies the signing algorithm (typically RS256 or HS256) and token type. The payload contains the claims — standardized claims (iss, sub, aud, exp, iat, nbf, jti) and any custom claims added by the issuing service. The signature proves the header and payload were not tampered with — but signature verification requires the secret or public key, which this tool does not do.

Security note: this tool intentionally does not verify signatures. To verify, use your language's JWT library with the appropriate secret or public key. Pasting a JWT here decodes the contents but does not confirm the token is valid or authentic.

Privacy: JWTs encode your identity and session data. They should not be pasted into third-party online services. This decoder runs entirely in your browser — the token never leaves your device.