JWT Decoder

Decode a JSON Web Token's header, payload, and claims — and optionally verify its signature. Token and keys never leave your browser.

Decoded entirely in your browser — nothing is sent to the server.

Advertisement
What is a JWT?

A signed, base64url-encoded JSON token — header, payload, signature.

A JSON Web Token is three base64url-encoded parts joined by dots: a header (the signing algorithm and token type), a payload (the claims — who issued it, who it's for, when it expires), and a signature over the first two parts. Decoding is just base64 — anyone can read a JWT's contents, so never put secrets in the payload.

The signature is what makes a JWT trustworthy: only someone with the signing key can produce a valid one. This tool verifies HS256 (shared secret), RS256, and ES256 (public key) entirely in your browser via the Web Crypto API — the token and key never touch our server. exp, iat, and nbf claims are shown as human-readable dates with expiry status.

Read more on Wikipedia
FAQ

Frequently asked

Is a JWT encrypted?
No — a standard signed JWT is only base64url-encoded, so anyone can read the payload. The signature proves it wasn't tampered with; it doesn't hide anything, so never put secrets in a JWT.
Can I decode a JWT without the secret?
Yes. Reading the header and payload needs no key — that part is just base64. The secret or public key is only needed to verify the signature.
Does this tool send my token anywhere?
No. Decoding and signature verification run entirely in your browser via the Web Crypto API — the token and key never leave the page.
Copied to clipboard