JWT Decoder | Read Header and Payload

Decode JWT header and payload JSON to inspect token claims, issuer, subject, audience, and expiry values.

Enter Encoded JWT Token
You entered an invalid or malformed JWT format!
Header (Algorithm & Type)
Payload (Data & Claims)

Decode JWT Header and Payload

Paste a JSON Web Token to view its header and payload as readable JSON. It helps inspect claims such as issuer, audience, subject, expiration time, issued-at time, roles, and custom fields.

Decoded Does Not Mean Verified

Reading a JWT is different from validating its signature. A decoded token can be modified, so never trust claims unless the signature and expected issuer are verified by your application.

Handle Tokens Carefully

JWTs can contain session identifiers or private claims. Avoid pasting live production tokens, and remove sensitive values before sharing decoded output with teammates or support.

About This Tool

JWT Decoder decodes JSON Web Tokens to reveal the header, payload, and signature sections in readable JSON. It is used by developers to inspect token claims, expiry times, and issuer information without needing a backend or library.

When to Use It

Use this when debugging authentication issues to see what claims a token carries, when verifying that a token's expiry time is set correctly, or when inspecting a token from a third-party service.

How to Use

  1. Paste the full JWT string into the input field.
  2. Click Decode to split the token into its three sections.
  3. Review the header to see the algorithm and token type.
  4. Check the payload for claims, user data, and expiry time.
  5. Note that the signature is shown but cannot be verified without the secret key.

Frequently Asked Questions

Is it safe to paste a real JWT into a browser tool?

A JWT is not encrypted, only Base64-encoded. Anyone who sees the token can decode its payload. Do not share tokens containing sensitive claims with untrusted tools.

Can this tool verify a JWT signature?

The decoder displays the signature but cannot verify it without the secret key or public key used to sign the token.

What does the exp field in a JWT payload mean?

exp is a Unix timestamp representing the expiry time of the token. A token with an exp in the past is expired and should be rejected by the server.

Related Tools

Jwt Generator Base64Converter Hash Generator