How to Decode a JWT (Header, Payload, and a Safety Note)

JSON Web Tokens (JWTs) are everywhere in modern auth. When debugging, you often need to read what is inside one. Here is how — and an important safety note.

What a JWT looks like

A JWT has three Base64URL parts separated by dots:

header.payload.signature

• Header — the algorithm and token type.
• Payload — the claims (user id, expiry exp, issuer iss, etc.).
• Signature — proves the token was not tampered with.

Decode it

Open the free JWT Decoder and paste your token. It shows the header and payload as readable JSON, which you can copy.

Important: decoding is not verifying

Anyone can decode a JWT — the header and payload are only Base64-encoded, not encrypted. Decoding does not check the signature, so never trust a token's contents based on decoding alone. Signature verification must happen on your server with the secret or public key. Our JWT Decoder deliberately decodes only and never verifies signatures.

Tips

• The payload is JSON — pretty-print or validate it with the JSON Formatter.
• To understand Base64URL itself, try the Base64 Encoder/Decoder.

Frequently asked questions

Is it safe to paste a token here? Decoding happens in your browser and nothing is uploaded. Still, avoid sharing live production tokens.

Why can't I see the signature contents? The signature is a cryptographic value, not readable data; it is used to verify, not to read.