JWT Decoder
Decode a JSON Web Token's header and payload instantly, entirely in your browser. See exactly what claims an API or login system is issuing before you build against it.
JWT Decoder
Decode JSON Web Tokens (JWT) instantly in your browser. View header and payload without sending data to a server. This tool performs client-side decoding only and does not verify the signature.
Header
// No header to display
Payload
// No payload to display
Signature
Enter a JWT to decode
// No signature to display
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent a set of claims — like a user ID, role, or expiration time — as a signed string. It's the standard way modern APIs and login systems pass identity and permission data between a client and a server without needing a database lookup on every request.
Structurally, every JWT is three Base64URL-encoded segments joined by dots:
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIn0.signature_string_hash
Header
States the token type and the algorithm used to sign it — commonly HS256 (shared secret) or RS256 (public/private key pair).
Payload
The actual claims — user ID, roles, expiry, and any custom data the issuer chose to include. Readable by anyone; not encrypted.
Signature
Proves the header and payload haven't been altered since signing. Recomputing it requires the issuer's secret key, which is why only the server can validate a token, not just read it.
Things to Keep in Mind
- Decoding a JWT does not verify its signature — that check has to happen on the server, using the secret or public key.
- The payload is only encoded, not encrypted. Anyone with the token can read it, so never put passwords or secrets inside the claims.
- Always check the "exp" claim server-side before trusting a token — an expired token should be rejected regardless of what the client sends.
Standard Claims You'll See
"sub"Subject — the user or entity this token identifies.
"iss"Issuer — which server or auth system generated the token.
"aud"Audience — the intended recipient of the token.
"exp"Expiration — Unix timestamp after which the token is no longer valid.
"iat"Issued At — Unix timestamp of when the token was created.
Common Decoding Errors
"Invalid JWT format" / wrong number of parts
A JWT needs exactly three dot-separated segments. If you copied a token that got truncated, wrapped with quotes, or prefixed with "Bearer ", the split will come up short.
atob() / Base64 decode fails
JWTs use Base64URL, which replaces "+" and "/" with "-" and "_" and drops padding. Pasting a regular Base64 string (or a token that was double-encoded somewhere) will fail to decode.
"Unexpected token" after decoding
If the Base64 segment decodes but the result isn't valid JSON, the token may actually be an encrypted JWE, or the payload was corrupted during copy/paste.
Signature shown as raw text, not JSON
This is expected — the signature is a cryptographic hash, not encoded data, so there's nothing to decode or parse. It can only be verified, not read.
Quick Checklist
- Token has exactly 2 dots (3 segments)?
- No "Bearer " prefix or surrounding quotes pasted in by mistake?
- Header decodes to JSON with an "alg" field?
- Payload's "exp" is a future Unix timestamp?
Frequently Asked Questions
Is it safe to paste a real access token into this tool?
Decoding happens entirely in your browser using JavaScript's built-in atob() and JSON.parse() — the token is never sent to any server, ours or otherwise. That said, treat any third-party tool (including this one) as public by default, and avoid pasting tokens tied to production systems or real user data.
If anyone can decode a JWT, is it actually secure?
Yes — the header and payload are only Base64URL-encoded, not encrypted, so decoding them is expected and not a security flaw. What keeps a JWT secure is the signature: if you change even one character of the payload, the signature no longer matches, and any server verifying the token will reject it. Decoding shows you the claims; it does not let you forge a valid token.
Does this tool verify the signature?
No. Verifying a signature requires the issuer's secret key (for HMAC algorithms like HS256) or public key (for RSA/ECDSA algorithms like RS256), which this tool never has and never asks for. This is a read-only decoder for inspecting claims during development and debugging — signature verification has to happen server-side, where the key actually lives.
Why do I get "Invalid JWT format"?
A JWT must have exactly three Base64URL segments separated by two dots: header.payload.signature. This error means the string you pasted doesn't split into three parts — usually because it's missing a segment, has extra whitespace, or isn't actually a JWT (some systems return opaque tokens or encrypted JWEs that look similar but decode differently).
What's the difference between a JWT and a regular session token?
A traditional session token is just a random ID that points to data stored server-side — it's meaningless without a database lookup. A JWT carries its claims (user ID, roles, expiry) inside the token itself, signed so a server can trust them without a database round-trip. That's what makes JWTs useful for stateless APIs, and also why leaking one is more dangerous — the data inside it is readable immediately.
Is this tool free, and are there limits?
Yes, free with no rate limit or sign-up — decoding runs on your device, not our infrastructure, so there's no server cost to limit.
About This Utility
This tool is provided completely free of charge by Mavertex. Built by Kumar (an independent UI developer), our platform ensures your privacy by executing all operations strictly within your local browser DOM.
We prioritize zero-trust architecture. No files or inputs are ever uploaded to remote servers. This page serves as both an interactive web application and an educational resource explaining the mechanics of client-side operations. For further details on transparency and third-party network usage (including AdSense), please review our Privacy Policy.