JWT Token Decode

Decode JWT tokens to view header and payload. For API auth debugging.

About this tool

This tool decodes JWT tokens in one click. Three features: 1) Paste JWT to display Header and Payload as JSON, 2) Check exp, sub, aud claims, 3) All processing in browser—no data sent to server. Ideal for API auth debugging.

Tool interface

This tool only decodes. It does not verify signatures. Do not use for tamper detection.

Auto-decodes on input or paste

 
 

Signature Verification

What is a JWT (JSON Web Token)? The Mechanics of Decoding

JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is widely used for stateless authentication and secure information exchange across modern web applications.

The 3 Structural Components of a JWT

A JWT string consists of three parts separated by dots (.), which are Base64Url encoded.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
  • 1. Header

    Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.

  • 2. Payload (Claims)

    Contains the statements (claims) about an entity (typically, the user) and additional data. Common claims include the user identifier (sub) and expiration time (exp). Warning: The payload is merely encoded, NOT encrypted. Never place passwords or sensitive secrets here.

  • 3. Signature

    Generated using the encoded header, the encoded payload, a secret, and the algorithm specified in the header. The signature is used to verify the message wasn't changed along the way.

Why Can Anyone Decode My JWT?

As highlighted above, the Header and Payload are only Base64Url encoded. They are completely transparent to anyone who intercepts the token. Encoding is merely a way of altering the data format, unlike encryption, which requires a cryptographic key to read the data. This is exactly how this very tool can display your token's internal payload without needing your server's secret keys.

How to Decode JWTs in Code

If you need to peek at the payload within your codebase without performing complete signature validation, you can do so manually:

Node.js / Vanilla JavaScript

const token = "eyJhbG...";
const [header, payload, signature] = token.split('.');
// Decode base64 URL to string, then parse the JSON
const decodedPayload = JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
console.log(decodedPayload);

Security Best Practice: Client-Side Only Decoding

Pasting a production authorization token into a random online decoder is highly risky. If the third-party server logs your token, they effectively gain full access to your user's account until the token expires.

Our JWT Decoder tool is built entirely as a 100% Client-Side application. We utilize JavaScript entirely within your browser to parse the JWT strings. No payloads, signatures, or tokens ever leave your local machine or are transmitted to our servers.

Usage

  1. Paste JWT in the input field
  2. Click decode to show Header and Payload as JSON
  3. Check exp, sub, aud claims. No signature verification

When to use

API auth debugging, checking token expiry/claims, OAuth/OIDC verification.

Examples

Paste eyJhbGciOiJIUzI1NiIs... to view Header/Payload. Check exp, sub, aud claims.

FAQ

What is JWT?

JSON Web Token. Token format for API auth and OAuth 2.0. Header.Payload.Signature, Base64URL encoded.

Structure of JWT?

Header.Payload.Signature. Header=algorithm, Payload=claims (exp, sub, aud), Signature=signature.

What is exp in JWT?

Expiration. Unix timestamp when token expires. Decode to check.

Where is JWT used?

API auth, OAuth 2.0, OpenID Connect, microservice auth. Stateless, scalable.

Is JWT Token Decode free?

Free to use, no sign-up required.

Is data sent to a server?

Data stays on your device; we do not store it on our servers.

Supported browsers?

Tested on recent Chrome, Edge, Firefox, and Safari.

Offline use?

Core features work offline after the first load.

vs CLI or desktop apps?

JWT Token Decode is an install-free online alternative to CLI or desktop apps.

When to use it?

Use it when: API auth debugging, checking token expiry/claims, OAuth/OIDC verification.

Usage example?

Example: Paste eyJhbGciOiJIUzI1NiIs... to view Header/Payload. Check exp, sub, aud claims.

Main features?

JWT Header and Payload display, Local processing only, exp, sub claims check

How is this different from similar tools?

JWT Token Decode runs in the browser with no install—ideal for quick checks before heavier CLI or IDE workflows.

Search keywords

JWT, トークン, 認証, デコード, API, JWT 解析, jwt decode, JWT token decode, JWT parser

Basic workflow

  1. Paste JWT in the input field
  2. Click decode to show Header and Payload as JSON
  3. Check exp, sub, aud claims. No signature verification

Practical use cases

  • API auth debugging, checking token expiry/claims, OAuth/OIDC verification.
  • This tool decodes JWT tokens in one click. Three features: 1) Paste JWT to display Header and Payload as JSON, 2) Check exp, sub, aud claims, 3) All processing in browser—no data sent to server. Ideal for API auth debugging.
  • JWT Header and Payload display
  • Local processing only

Privacy & data handling

Data stays on your device; we do not store it on our servers.

Things to watch out for

  • Always double-check before pasting output into production
  • Try incognito if extensions break the page
  • Wait for processing on large inputs

Related guides

Tool comparisons

Related learning content

Related tools

Tool set