Decode JSON Web Tokens to reveal the header, payload, and claims — instantly in your browser.
Backend developers debugging authentication tokens and inspecting JWT claims.
Paste your JWT
Copy the token — the long string that usually starts with "eyJ" — and paste it into the input.
View the decoded parts
The header, payload, and signature segment are split out and formatted as readable JSON automatically.
Check expiry and claims
See whether the token is expired and read every claim — roles, subject, issuer, and timestamps — at a glance.
A JSON Web Token looks like a meaningless blob of characters, but it is really three Base64URL-encoded parts — a header, a payload, and a signature — separated by dots. Inside the payload sit the things you actually care about when debugging authentication: who the user is, their roles and permissions, when the token was issued, and when it expires. When a login fails, an API returns 401, or a permission check misbehaves, the fastest way to understand why is to read what is actually in the token. This decoder splits a JWT apart and shows the header and payload as clean, readable JSON, flags whether the token has expired, and reveals the signing algorithm. It runs entirely in your browser — nothing is uploaded — which matters because JWTs are live credentials. Paste a token and instantly see its contents instead of writing throwaway code or pasting it into a site that might log it. Note that decoding only reads the token; it does not and cannot verify the signature.
Authentication debugging
Confirm a user’s roles, scopes, and token expiry while tracking down a login or 401 issue.
API integration
Decode tokens from a third-party provider to learn the claim names and structure you need to handle.
Security review
Check what data a token exposes and which algorithm the header declares (watching out for "none" or weak choices).
Support & QA
Quickly verify whether a reported auth bug is caused by an expired or malformed token.
Learning JWTs
See exactly how a real token is structured to understand how stateless authentication works.
No. Decoding is 100% client-side, so your token never leaves your device.
No. Verifying the signature requires the secret or public key; this tool only decodes and displays the header and payload.
Because nothing is uploaded, it is safer than most online decoders — but still treat JWTs as live credentials and avoid sharing your screen with one displayed.
Any standard JWT in header.payload.signature format, including HS256, RS256, and ES256 — the algorithm is shown in the decoded header.
The signature is a cryptographic hash, not encoded JSON, so it is not human-readable by design — only the header and payload decode to text.
The exp claim is a Unix timestamp; the tool converts it and tells you whether the token has already expired.
No. This handles signed JWTs (JWS). Encrypted JWE tokens cannot be read without the decryption key.
Yes — decode as many tokens as you need for free, with no sign-up.