JWT Decoder
Paste a JSON Web Token to inspect its header and payload. The decoder runs entirely in your browser, so the token never leaves your device.
Useful when debugging APIs, inspecting tokens issued by an OAuth or OpenID provider, or checking which claims an access token carries.
Header
Decoded header will appear here.
Payload
Decoded payload will appear here.
Claims summary
Decode only — no signature verification
This tool only decodes the header and payload sections of the token. It does not verify the signature, because verification requires the secret or public key, and doing it in the browser is not meaningful — anything you paste here is already exposed to the user. Treat the result as informational only.
What is a JWT?
A JSON Web Token (RFC 7519) is a compact string built from three Base64url-encoded sections joined by dots: header.payload.signature. The header describes the signing algorithm, the payload carries the claims, and the signature lets a server prove the token has not been tampered with.
Examples
A minimal HS256 token with a single sub claim:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.dozjgNryP4J3jVmNHl0w5N_XgL0n3I9PlFUP0THsR8U
FAQ
Does this tool verify the signature?
No. It only decodes header and payload. Signature verification requires the secret or public key and must happen on a trusted server, not in the browser.
Is my token sent to a server?
No. The decoder runs entirely in your browser. The token is parsed locally and never leaves your device.
What do exp, iat and nbf mean?
They are standard registered claims: iat is the issued-at time, nbf is the not-before time, and exp is the expiration time. All three are Unix timestamps in seconds.
Why are my Base64 characters different from regular Base64?
JWT uses Base64url, which replaces + with -, / with _, and drops = padding. The decoder handles this automatically.