JWT Decoder
Decode and inspect JWT tokens without verifying the signature.
JWT Token
Header
Payload
JWT structure
A JWT has three Base64Url-encoded parts separated by dots: header.payload.signature. The payload is encoded, NOT encrypted β anyone can read it.
- Header: algorithm and token type
- Payload: claims (user data, expiry)
- Signature: proves token not tampered
- β οΈ Never store passwords in JWT payload
What this tool does
Decodes a JSON Web Token (JWT) and displays the header and payload in formatted JSON. Also shows whether the token is expired. Does NOT verify the signature β for display purposes only.
Input fields explained
JWT Token
Paste the full JWT token here. It has three parts separated by dots: header.payload.signature. The header and payload are Base64Url encoded and can be decoded without the secret key.
π‘ Tips & context
βNever share JWTs in production β the payload may contain user data.
βJWT signatures are verified server-side with the secret key. This tool only decodes β not verifies.
βCommon claims: sub (user ID), exp (expiry timestamp), iat (issued at), aud (audience).
Formula / How it works
JWT tokens have 3 parts separated by dots: header.payload.signature All parts are Base64Url encoded. β οΈ This tool only decodes β it does not verify the signature.