JWT Decoder Guide

JWT Decoder safely inspects the header, payload, and signature of a JSON Web Token in your browser, without sending the token to any server.

JWT Decoder exists because JSON Web Tokens are everywhere in modern authentication — API access tokens, session tokens, identity provider responses — but they look like meaningless gibberish at a glance: three long base64-encoded strings separated by periods. Developers regularly need to peek inside a token to debug why an API call is rejecting it, confirm what claims and expiration time it actually contains, or verify that an identity provider issued the token with the fields a backend expects. Doing this by hand, manually base64-decoding each segment, is tedious and error-prone for something that should be a quick lookup.

This tool decodes a JWT directly in your browser, splitting it into its three parts — header, payload, and signature — and rendering the header and payload as readable JSON, with timestamp fields like expiration and issued-at converted into human-readable dates rather than raw Unix numbers. Because a JWT is itself not encrypted, just encoded and signed, decoding it doesn't require a secret key; the tool simply reverses the base64url encoding to reveal the underlying JSON.

A meaningful detail this tool is built around: decoding a JWT is fundamentally different from verifying it. Anyone can decode a JWT's contents, including an attacker, but only someone holding the correct signing key can produce a JWT that successfully verifies. This tool helps you see what a token claims, which is invaluable for debugging, but it deliberately does not and cannot confirm that the token's signature is actually valid, since that requires the secret or public key used to sign it, which lives on a server, not in this browser tab.

Pasting a JWT into a tool — even one that runs entirely client-side — is something to do thoughtfully, since the token itself may grant access to a real account or system; this tool never transmits the token anywhere, but you should still avoid decoding tokens you don't have a legitimate reason to inspect.

How to decode a JWT

  1. Paste your JWT. Copy the full token string in its entirety — it should look like three distinct sections of letters, numbers, and symbols separated by two periods — and paste it directly into the input field. The tool recognizes the standard JWT structure immediately and begins decoding without requiring any additional configuration on your part. There's no strict format requirement beyond simply having three distinct sections, so tokens copied from a browser's developer tools panel, an API response body, or directly from an Authorization header all work exactly the same way once pasted in.
  2. Review the decoded header. The decoded header typically reveals the signing algorithm used (such as HS256 or RS256) along with the general token type. This small section matters more than its size suggests, since the algorithm listed here determines what kind of key would be needed to actually verify the token's signature, which is a separate step from simply reading its contents. This is also a good moment to confirm the algorithm matches what your backend actually expects, since a mismatch here is sometimes the entire and complete reason a token ends up being rejected by a server in the first place.
  3. Review the decoded payload. The decoded payload contains the actual claims themselves — often things like a user ID, an issuer, an expiration timestamp, and any custom fields the issuing system happened to include. Expiration and issued-at timestamps are typically converted from raw Unix time into a readable date, which is usually the fastest way to confirm whether a token has actually expired. Custom claims that were added by your own application are just as visible here as any standard ones, which makes this genuinely the fastest way to confirm that a backend change to token contents actually took effect the way it was intended to.
  4. Check the signature section. The signature itself is shown as the raw encoded string it actually is, since properly and correctly verifying it would require the secret or private key that only the original issuing server actually holds onto. This tool deliberately stops short at simply displaying the signature, rather than pretending to actually validate it, since a false sense of verification would be more harmful than no verification at all. If you need to confirm a token is genuinely authentic rather than just well-formed, that verification step has to happen on a server holding the appropriate cryptographic key, using a dedicated JWT library rather than this simple decoding tool.
  5. Use the decoded claims to debug. With the header and payload now fully visible, you can carefully check whether the claims actually match what your application genuinely expects — checking for the right issuer, an audience value that matches your API, and an expiration time set in the future rather than already in the past — which is usually exactly the information needed to resolve an authentication or authorization bug. This is typically far faster than adding logging statements to a running service just to inspect what a token contains, especially when the issue can be reliably reproduced with just a single token pasted directly into this tool.

Use Cases

  • Debugging a rejected API request: Decode a JWT being sent with a failing API request to check whether its claims, issuer, or expiration match what the API expects.
  • Verifying a token's expiration during a support investigation: Decode a user-reported token to confirm whether it had already expired at the time of the reported issue.
  • Inspecting claims returned by an identity provider: Decode a JWT issued by an OAuth or OpenID Connect provider to confirm exactly which claims and scopes were actually granted.
  • Checking custom claims added by your own backend: Decode a token your own service issued to confirm that custom claims were embedded correctly during development.
  • Teaching how JWTs are structured: Decode a sample JWT as a teaching example to show students or new team members exactly what a token contains and how it's structured.
  • Auditing token contents before reporting a security concern: Decode a JWT to confirm exactly what information it exposes before deciding whether that exposure is a genuine concern worth raising.

About This Tool

What is it? A browser-based tool that decodes a JSON Web Token into its readable header and payload, without verifying the signature and without sending the token to a server.

Why use it? It turns an unreadable, base64-encoded token into readable claims in seconds, which is exactly what's needed to debug an authentication issue, without exposing the token to a third-party service.

Alternatives: Command-line tools or library functions can decode a JWT but require writing or running code just for a quick lookup; some browser extensions offer JWT decoding but require installation and broader permissions; this tool works instantly with no installation.

Common mistakes: Assuming a successfully decoded JWT is therefore a valid, verified token is the most common and most consequential mistake — decoding only reveals claims, it does not confirm the signature is genuine; the second is pasting a production token containing sensitive claims into a tool without first confirming it processes everything locally in the browser.

Frequently Asked Questions

Is my JWT uploaded to a server when I decode it?
No, decoding happens entirely in your browser using JavaScript; the token is never transmitted anywhere.
Does decoding verify that the token is authentic?
No, decoding only reveals the token's claims. Verifying authenticity requires the secret or public key used to sign it, which this tool does not have and does not request.
Why does the signature section look like meaningless text?
The signature is a cryptographic value, not encoded JSON, so it doesn't decode into readable text the way the header and payload do; it can only be checked against a key, not read directly.
Can this tool tell me if a token has expired?
Yes, the decoded payload typically includes an expiration claim converted to a readable date, which you can compare against the current time to determine whether the token has expired.
Is it safe to paste a real production token into this tool?
Since nothing is uploaded, the token stays on your device, but it's still good practice to avoid pasting tokens you don't have a legitimate reason to inspect, and to avoid sharing screenshots of decoded sensitive claims.
What if the token fails to decode?
This usually means the pasted text isn't a well-formed JWT — check that it has exactly three base64url sections separated by two periods, with no extra whitespace or missing characters.
Can I decode JWTs signed with any algorithm?
Yes, decoding the header and payload doesn't depend on the signing algorithm, since that step only requires reversing the base64url encoding, not validating the signature itself.
Does this tool store or log decoded tokens?
No, nothing is stored or logged; once you close or navigate away from the tab, the decoded content is gone.

Related

Related Tools

Related Guides

Try JWT Decoder Now