JWT decoder
Paste a JWT to decode its header and payload — locally, nothing is sent.
JWT decoder
Decode a JSON Web Token (JWT) to read its header and payload claims. The token is split on its dots and the Base64URL parts are decoded entirely in your browser — nothing is sent to any server, which matters for tokens that grant access.
How a JWT is built
A JWT has three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON; the signature verifies integrity. This tool decodes (reads) the token — it does not verify the signature, so never trust an unverified token on a server.
Common claims
- sub: subject (user id). iat: issued-at. exp: expiry (Unix time).
- iss: issuer. aud: audience.
Frequently asked questions
Is it safe to decode my token here? Yes — decoding runs locally in your browser; the token isn’t uploaded.
Does this verify the signature? No. It only decodes the readable header and payload; signature verification needs the secret or public key.