JWT Decoder
Paste a JSON Web Token to decode its header and payload. Decoding happens entirely in your browser.
—
—
—
What is a JWT?
A JSON Web Token is a compact, URL-safe token made of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (the claims — user ID, expiry, roles, etc.), and a signature that proves the token wasn't tampered with. Anyone can decode the header and payload without a secret key — that's by design, JWTs aren't encrypted, they're signed. Never put secrets in a JWT payload.
This tool doesn't verify signatures
Decoding shows you what's inside the token. It does not verify the signature is valid, since that requires the issuer's secret or public key. Don't trust the contents of a JWT you haven't verified server-side.