JWT Token Decode
Decode JWT tokens to view header and payload. For API auth debugging.
About this tool
This tool decodes JWT tokens in one click. Three features: 1) Paste JWT to display Header and Payload as JSON, 2) Check exp, sub, aud claims, 3) All processing in browser—no data sent to server. Ideal for API auth debugging.
Tool interface
Auto-decodes on input or paste
Signature Verification
What is a JWT (JSON Web Token)? The Mechanics of Decoding
JSON Web Token (JWT, pronounced "jot") is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. It is widely used for stateless authentication and secure information exchange across modern web applications.
The 3 Structural Components of a JWT
A JWT string consists of three parts separated by dots (.), which are Base64Url encoded.
- 1. Header
Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
- 2. Payload (Claims)
Contains the statements (claims) about an entity (typically, the user) and additional data. Common claims include the user identifier (
sub) and expiration time (exp). Warning: The payload is merely encoded, NOT encrypted. Never place passwords or sensitive secrets here. - 3. Signature
Generated using the encoded header, the encoded payload, a secret, and the algorithm specified in the header. The signature is used to verify the message wasn't changed along the way.
Why Can Anyone Decode My JWT?
As highlighted above, the Header and Payload are only Base64Url encoded. They are completely transparent to anyone who intercepts the token. Encoding is merely a way of altering the data format, unlike encryption, which requires a cryptographic key to read the data. This is exactly how this very tool can display your token's internal payload without needing your server's secret keys.
How to Decode JWTs in Code
If you need to peek at the payload within your codebase without performing complete signature validation, you can do so manually:
Node.js / Vanilla JavaScript
const token = "eyJhbG...";
const [header, payload, signature] = token.split('.');
// Decode base64 URL to string, then parse the JSON
const decodedPayload = JSON.parse(Buffer.from(payload, 'base64').toString('utf8'));
console.log(decodedPayload); Security Best Practice: Client-Side Only Decoding
Pasting a production authorization token into a random online decoder is highly risky. If the third-party server logs your token, they effectively gain full access to your user's account until the token expires.
Our JWT Decoder tool is built entirely as a 100% Client-Side application. We utilize JavaScript entirely within your browser to parse the JWT strings. No payloads, signatures, or tokens ever leave your local machine or are transmitted to our servers.
Usage
- Paste JWT in the input field
- Click decode to show Header and Payload as JSON
- Check exp, sub, aud claims. No signature verification
When to use
Examples
FAQ
What is JWT?
Structure of JWT?
What is exp in JWT?
Where is JWT used?
Is JWT Token Decode free?
Is data sent to a server?
Supported browsers?
Offline use?
vs CLI or desktop apps?
When to use it?
Usage example?
Main features?
How is this different from similar tools?
Search keywords
Basic workflow
- Paste JWT in the input field
- Click decode to show Header and Payload as JSON
- Check exp, sub, aud claims. No signature verification
Practical use cases
- API auth debugging, checking token expiry/claims, OAuth/OIDC verification.
- This tool decodes JWT tokens in one click. Three features: 1) Paste JWT to display Header and Payload as JSON, 2) Check exp, sub, aud claims, 3) All processing in browser—no data sent to server. Ideal for API auth debugging.
- JWT Header and Payload display
- Local processing only
Privacy & data handling
Data stays on your device; we do not store it on our servers.
Things to watch out for
- Always double-check before pasting output into production
- Try incognito if extensions break the page
- Wait for processing on large inputs
Related guides
Tool comparisons
Related learning content
Related tools
Tool set
Dev & Security Set