JWT Decoder

Decode and verify JWT tokens

How to use

1. Paste a JWT (JSON Web Token) into the input box.
2. The header and payload are decoded and shown as readable JSON.
3. Inspect claims like expiry (exp), issuer (iss), and subject (sub).

Why use this tool

• Header + payload: Decodes both Base64URL sections into formatted, readable JSON.
• Claim inspection: Quickly read standard claims like exp, iat, iss, and aud.
• Safe & private: Decoding is local — your token is never sent to a server, which matters because tokens grant access.

Frequently asked questions

Does this verify the signature?

No. It decodes the token so you can read its contents. Verifying the signature requires the secret or public key and should be done server-side.

Is it safe to paste my token here?

Yes — decoding happens entirely in your browser and the token is never uploaded. Still, treat real access tokens carefully.

Why is the payload readable without a key?

JWT payloads are only Base64URL-encoded, not encrypted. The signature protects against tampering, not reading.

Back to all tools