JWT Decoder — Inspect JSON Web Tokens Instantly

Paste a JSON Web Token below to decode its header and payload in real time. Everything runs client-side — your token never leaves your browser.

Header Payload Signature

Decoded Header

Decoded Payload

Try These Examples

  • Admin user token — Contains sub, name, iat, exp, and role claims
  • OAuth-style token — RS256 with iss, aud, scope, email, and kid in header

How It Works

A JSON Web Token is a compact, URL-safe string made up of three parts separated by dots (.):

  1. Header — A JSON object specifying the token type and signing algorithm (e.g. HS256, RS256). It is base64url-encoded to form the first segment.
  2. Payload — A JSON object containing the claims: pieces of data such as user ID (sub), issued-at time (iat), expiration (exp), and any custom fields. This is also base64url-encoded.
  3. Signature — Created by taking the encoded header, a dot, and the encoded payload, then signing that string with a secret key or private key using the algorithm declared in the header.

Base64url encoding is a variant of standard Base64 that replaces + with - and / with _, and omits padding = characters. This makes the token safe to use in URLs, HTTP headers, and cookies.

This tool reverses the base64url encoding on the header and payload segments and displays the resulting JSON. The signature segment is shown as-is because verifying it requires the signing key, which should remain secret.

Frequently Asked Questions

What is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe token format defined by RFC 7519. It consists of three base64url-encoded parts separated by dots: a header that specifies the signing algorithm, a payload containing claims (key-value data), and a cryptographic signature that verifies the token's integrity.

Is it safe to decode a JWT in the browser?

Yes. The header and payload of a JWT are simply base64url-encoded, not encrypted. Decoding them reveals no secrets beyond the data the token already carries. However, you should never trust a decoded token's claims without verifying the signature on the server side using the appropriate key.

What is the difference between decoding and verifying a JWT?

Decoding means reversing the base64url encoding to read the header and payload as JSON. Verifying means using the signing key (a shared secret or a public key) to confirm the signature is valid and the token has not been tampered with. This tool only decodes; verification requires the signing key and should be performed server-side.

What does the "exp" claim in a JWT mean?

The exp (expiration time) claim identifies the time after which the JWT must not be accepted for processing. It is expressed as a Unix timestamp (the number of seconds since 1 January 1970 UTC). If the current time is past the exp value, the token is considered expired and should be rejected.

Related Tools

← Back to all tools