JWT Decoder
Decode JWT header and payload data in your browser. Decoding makes claims readable but does not verify the signature or trust the token.
Decoded Header
Decoded JWT header will appear here...
Decoded Payload
Decoded JWT payload will appear here...
Security Note
Decoding happens locally inside your browser. Avoid pasting live production tokens because decoded claims may still contain sensitive account, role, or session information.
Inspecting JWT Header and Payload Claims
A compact JSON Web Token contains three dot-separated sections: a Base64URL-encoded header, a Base64URL-encoded payload, and a signature. Decoding the first two sections makes their JSON content readable.
The payload may include subject, issuer, audience, roles, scopes, issued-at time, not-before time, and expiration time. This tool is useful when you need to inspect those claims while debugging an authentication or API flow.
Decoding is not validation. A readable token may still be expired, signed with an unexpected key or algorithm, issued by the wrong service, or unacceptable to the application.
How to Use the JWT Decoder
- Paste your JWT token into the editor.
- Click Decode JWT.
- Review the decoded header and payload data.
- Copy the decoded JSON output if needed.
Common Use Cases
- Inspecting JWT payload claims during debugging.
- Reading exp, nbf, and iat claims before checking their meaning.
- Debugging API authentication issues.
- Inspecting OAuth and session tokens.
- Reading user role and permission claims.
- Testing frontend authentication flows.
- Comparing token claims with the application requirements.
Example JWT Payload
{
"sub": "1234567890",
"name": "John Doe",
"role": "admin",
"iat": 1715940000,
"exp": 1715943600
}Understanding JWT Token Structure
- Header: Contains token type and signing algorithm information.
- Payload: Contains claims, permissions, user data, and token metadata.
- Signature: Helps verify token integrity and authenticity.
Frequently Asked Questions
What is a JWT token?
JWT stands for JSON Web Token, a compact format commonly used for authentication, authorization, and secure data exchange.
Does this JWT Decoder verify signatures?
No. This tool decodes JWT content for inspection only and does not verify signatures or token trust.
Is my JWT token uploaded anywhere?
No. JWT decoding happens locally inside your browser and token data is not uploaded or stored.
Why are JWT tokens Base64 encoded?
JWT sections use Base64 URL-safe encoding so tokens can travel safely through browsers, APIs, and HTTP headers.
Can I decode expired JWT tokens?
Yes. Expired tokens can still be decoded for inspection unless the token format itself is invalid.
