JWT Decoder
Decode JSON Web Tokens to inspect header, payload, and signature. Check expiration and view standard claims.
What is a JSON Web Token (JWT)?
A JSON Web Token is a compact, URL-safe way to represent claims between two parties, structured as three base64url-encoded segments separated by dots: a header (algorithm + token type), a payload (the claims), and a signature. JWTs are the standard mechanism for stateless authentication on the modern web — your server issues a signed token after login, and the client sends it back on every request so the server can trust the claims inside without re-querying the database. The format is defined in RFC 7519 and signature algorithms in RFC 7515 (JWS). This decoder reads the header and payload so you can inspect them — it does not verify the signature, since that requires the issuer's secret. Need to decode the base64url segments manually? Use the Base64 Encoder/Decoder. Generating a hash for HMAC signing? Try the Hash Generator.
Decode Only
This tool only decodes JWT tokens. It does NOT verify signatures. Never paste sensitive tokens from production systems.
JWT Token
How to use this tool
- 1Paste the JWTCopy your token from your auth header, cookie, or environment variable and paste it into the input. The tool detects the three-part xxx.yyy.zzz format automatically.
- 2Inspect header, payload, and claimsThe decoded header and payload appear in tabs, with standard claims (iss, sub, exp, iat) called out and expiration computed against your local clock.
- 3Verify on your server, not hereDecoding ≠ verification. Your server must validate the signature with the issuer's secret (HMAC) or public key (RSA/ECDSA). Use this tool only for debugging.