JWT Decoder.

Paste a JSON Web Token. See the decoded header, payload, signature bytes, and expiry status. Decoding is not verification — this tool deliberately stops at reading what a token claims. Everything runs in your browser.

This tool runs entirely in your browser and requires JavaScript.

Decoding is not verifying.

This tool reads what a JWT claims; it does not check the signature. Any client can mint a JWT with any payload. Only verifying the signature with the correct issuer key proves authenticity — do that on a server with a JWT library, not in a browser tool.

Token

Header

Paste a JWT to decode.

Payload

—

Signature

—

Your input never leaves your browser.

What is this?

A JSON Web Token (JWT) is a compact, base64url-encoded string with three dot-separated parts — header, payload, and signature — used by almost every OAuth, OIDC, and session-cookie stack on the open web. Reach for this tool when you have a token from an API request, a server log, or a cookie and you need to see what claims it carries — the subject, issuer, expiry, audience, scopes — without piping it through a third-party site.

Decoding a JWT is not the same as verifying it. Any client can mint a token with any payload; only checking the signature against the issuer’s key proves the token is authentic and untampered. This tool deliberately stops at decoding — verification belongs on a server, with a real JWT library and the issuer’s key, not in a browser inspector.

For algorithms, the alg: none story, and standard-claim semantics, read the full explainer →

Read the full explainer →