JWT Decoder — Read Token Header & Payload Online
Decode a JSON Web Token to read its header and payload as JSON and inspect claims like exp, iat, and iss. Debug auth without ever verifying or trusting the signature.
Examples
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
// header
{ "alg": "HS256", "typ": "JWT" }
// payload
{ "sub": "123", "name": "Ada", "iat": 1516239022 }The three dot-separated parts are header.payload.signature; only the first two are decoded here.
How to use this tool
- Paste your JWT into the input box.
- View the decoded header and payload.
- Inspect the claims you need.
- Copy any section you want.
What is JWT Decoder?
JWT Decoder splits a JSON Web Token on its two dots and Base64URL-decodes the first two parts — the header and the payload — into readable JSON. The header shows the signing algorithm (alg) and token type; the payload holds the claims, such as the subject, expiry (exp), and issued-at time (iat). It is a debugging tool for inspecting what a token contains. It deliberately does not check the third part, the signature, so a decoded token tells you nothing about whether it is authentic.
Specifications
| Structure | header.payload.signature (3 dot-separated parts) |
|---|---|
| Encoding | Base64URL (URL-safe, unpadded) |
| Signature | Decoded for display only — never verified |
| Common claims | sub, iss, aud, exp, iat, nbf |
Tips & gotchas
- This decodes the token; it does NOT verify the signature, so never trust a token's contents based on decoding alone — verify it server-side with the secret or public key.
- Never paste production tokens that are still valid: anyone who sees the token can replay it until it expires.
- exp and iat are Unix timestamps in seconds (not milliseconds) — convert them with a timestamp tool to read the date.
- JWT uses Base64URL, not standard Base64, so the parts may contain - and _ and have no = padding.
Features
- Decode the JWT header (alg, typ)
- Decode the payload claims as readable JSON
- Pretty-printed JSON output
- Copy header or payload separately
- Clear notice that signatures are not verified
When to use it
- Checking why a request is rejected by reading the token's exp to see if it expired.
- Confirming which user or scope a token represents by inspecting the sub and claims.
- Verifying the issuer (iss) and audience (aud) match what your API expects.
- Debugging a login flow by comparing the claims your auth server actually issued.
This tool runs in your browser. Your files and text are not uploaded to our servers, and we do not store your input.
Frequently asked questions
Does this verify the JWT signature?+
No. This tool only decodes the header and payload. It does not verify the signature, so never trust a token based on decoding alone — validation must happen on your server with the signing key.
How do I read the exp and iat values?+
They are Unix timestamps in seconds since 1970. Paste the number into a Unix timestamp converter to see the human-readable date; if exp is in the past, the token is expired.
Why can't my token be decoded?+
A JWT must have three Base64URL parts separated by dots. If a part is missing or contains invalid characters, the tool shows an error.
What does the alg field in the header mean?+
It names the algorithm used to sign the token, such as HS256 (HMAC) or RS256 (RSA). It tells the server how to verify the signature; it is not something this decoder acts on.
Related tools
Related guides
Looking for more Developer Tools?
Browse the full collection of free, browser-based tools.