Skip to content
Processing locally — files never leave your device

JWT Decoder

Paste a JWT to inspect its header and payload. Decoding stays on your machine — important for tokens that contain secrets.

How to use JWT Decoder

  1. Paste your JWT into the input area.
  2. The header and payload are decoded automatically as you type.
  3. Inspect any standard claims (iss, sub, exp, iat) in the formatted payload.
  4. Copy the decoded JSON for use in your debugger or test suite.

What is a JWT?

A JSON Web Token (JWT, defined in RFC 7519) is a compact, URL-safe way to represent claims between two parties. It's the most common format for stateless authentication on the web — when you log in, the server returns a JWT, and your client sends it on every subsequent request to prove who you are. The server can trust the token without a database lookup because the signature proves it issued the token and that nothing has been altered since.

Anatomy: three parts, two dots

A JWT is header.payload.signature. Each part is Base64url-encoded, and the dots are the separators — which is why a valid token always contains exactly two of them. Take a typical first segment, eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9: decode it and you get the header {"alg":"HS256","typ":"JWT"}, which names the signing algorithm. The second segment is the payload — the claims, such as who the user is and when the token expires. The third is the signature, computed over the first two segments using a shared secret (HMAC) or a private key (RSA, ECDSA). Decoding the first two parts needs only Base64; checking the third needs the key.

The standard claims worth knowing

  • iss — issuer: who created the token.
  • sub — subject: who the token is about, usually a user ID.
  • aud — audience: which service the token is intended for.
  • exp / nbf / iat — expiry, not-before, and issued-at, all Unix timestamps in seconds.
  • jti — a unique token ID, useful for revocation lists.

Anything else in the payload is a custom claim — roles, permissions, tenant IDs. When you are debugging a 401, exp and aud are the first two fields to check: expired tokens and tokens sent to the wrong audience account for most rejections.

Decoding is not verifying

This is the single most important thing to understand about JWTs. Anyone can decode a token — this page does it with a few lines of Base64. Only someone holding the right key can verifyone. A decoded payload that looks legitimate proves nothing: an attacker can mint a token claiming to be any user in seconds. If your application ever reads claims from a token without first checking the signature, you do not have authentication; you have a suggestion box. Verification — and pinning the expected algorithm rather than trusting the header's alg field — must happen server-side, in your code or your gateway.

Common pitfalls

Base64url is not quite Base64: it swaps + and / for - and _ and drops the = padding, so a generic Base64 decoder will choke on many tokens. Tokens also grow quickly — every claim you add travels on every request, and a bloated JWT in a cookie can push you past header size limits. Finally, think about storage on the client: a token in localStorage is readable by any script that runs on your page, so an XSS hole becomes a stolen session. HttpOnly cookies trade that risk for CSRF concerns; whichever you choose, keep expiry short.

Why decoding tokens locally matters

Many JWTs include enough information to identify a user, an organization, or an internal API permission. Even an expired token still leaks identifiers. Pasting one into a server-backed tool means a third party logs your identity. This decoder runs in the browser; the token never leaves the page.

Related tools

Frequently asked questions

Will pasting a live token here expose it to anyone?
Only to you. The split-and-Base64url-decode work runs in the tab, so the token — and the identity claims or active session it carries — is never handed to a third party. That is exactly why a decoder you can trust has to be client-side.
Does this verify the signature?
No. We deliberately don't verify because verification requires your secret or public key, and we don't want anyone to paste secrets into a web tool. Verification belongs in your application or a CLI run on a trusted machine.
Why is my token "invalid"?
A JWT must have exactly three base64url-encoded segments separated by dots. The most common causes of failure are: extra whitespace, missing the "Bearer" prefix is fine but extra characters around it are not, or the token has been truncated mid-paste.
What is exp and how do I read it?
exp is the expiration time as a Unix timestamp in seconds. The decoder converts it to a human-readable date and shows whether the token is currently expired. The same applies to iat (issued at) and nbf (not before).
Can I decode encrypted JWTs (JWE)?
No — this tool decodes signed JWTs (JWS) only, which is the dominant format used for authentication. JWE tokens are content-encrypted and require the recipient's key to read; pasting a JWE here will show its header but the payload will be unreadable ciphertext.
Why can anyone read my token if it's "secure"?
Because a standard JWT is signed, not encrypted. The signature proves the token wasn't tampered with; it does nothing to hide the contents. Base64url is an encoding, not encryption — anyone who holds the token can read every claim. Never put passwords, card numbers, or other secrets in a JWT payload.
Should I trust the alg field in the header?
Not blindly. The header is attacker-controlled until the signature is verified, and historic libraries that honoured "alg": "none" or accepted an RSA public key as an HMAC secret were exploited in the wild. A correct verifier pins the expected algorithm in server configuration and rejects anything else.
How do I invalidate a JWT before it expires?
You mostly can't — that's the trade-off of stateless tokens. The server doesn't store them, so there is nothing to delete. Practical mitigations are short expiry times (minutes, not days) combined with refresh tokens, or a server-side denylist of revoked token IDs (jti), which reintroduces some state.

More tools you might find useful in the same flow.

Built by Muhammad Tahir · About