JWT Decoder Online

Decode and inspect JWT tokens.

JWT Token
Header
Payload
Signature

Paste your JWT into the input box and click Decode to instantly see the header, payload claims, and raw signature. All decoding happens in your browser — the token is never sent to any server.

What is a JSON Web Token (JWT)?

A JWT (JSON Web Token, pronounced "jot") is a compact, URL-safe token format defined in RFC 7519. It is widely used for stateless authentication: after a user logs in, the server issues a JWT, and the client includes it in subsequent requests (typically in the Authorization: Bearer <token> header). The server validates the token without needing to query a session database.

A JWT consists of three Base64URL-encoded parts separated by dots (.):

  1. 1Header — contains the token type (typ: "JWT") and the signing algorithm (alg), e.g. HS256, RS256, ES256.
  2. 2Payload — contains claims: standard fields like sub (subject), iat (issued at), exp (expiration), aud (audience), plus any custom fields your application adds.
  3. 3Signature — a cryptographic signature that lets the server verify the token was not tampered with. This tool does not verify signatures — it only decodes and displays the data.

How to use this tool

  1. 1Paste your JWT into the JWT Token field. It should look like three base64url strings separated by dots.
  2. 2Click Decode. The Header and Payload are decoded and displayed as formatted JSON.
  3. 3Use the Copy buttons to copy the Header or Payload JSON to your clipboard.

Code examples

JavaScript — decode without verification (client-side only)
function decodeJWT(token) {
  const [header, payload] = token.split('.');
  const decode = str => JSON.parse(atob(str.replace(/-/g,'+').replace(/_/g,'/')));
  return { header: decode(header), payload: decode(payload) };
}
const { header, payload } = decodeJWT(token);
console.log(payload.exp); // expiration timestamp
Python — decode and verify with PyJWT
import jwt  # pip install PyJWT

# Decode without verification (inspect only)
decoded = jwt.decode(token, options={"verify_signature": False})
print(decoded)

# Decode WITH verification (production use)
decoded = jwt.decode(token, secret_key, algorithms=["HS256"])

Frequently asked questions

Is my JWT token sent to a server when I decode it?
No. All decoding is done in your browser using atob() and JSON.parse(). Nothing leaves your device.
Does this tool verify the JWT signature?
No. Signature verification requires the secret key (HMAC) or public key (RSA/ECDSA), which only your server should hold. This tool only decodes and displays the header and payload. Never trust a JWT payload in a security-sensitive context without server-side verification.
What is the exp claim and how do I check if a token is expired?
The exp claim is a Unix timestamp (seconds since Jan 1 1970 UTC) indicating when the token expires. Compare it to Math.floor(Date.now() / 1000) — if exp is less than the current time, the token has expired.
What does alg: "none" in the header mean?
The none algorithm means the token is unsigned. Many JWT libraries have historically accepted alg: none tokens as valid, which is a critical security vulnerability. Always explicitly whitelist allowed algorithms on the server side.
Why are JWTs Base64URL-encoded and not Base64?
Standard Base64 uses +, /, and = characters that are not safe in URLs and HTTP headers. Base64URL substitutes +- and /_, and omits padding, making the token safe to include as a URL parameter or header value without extra encoding.
What is the difference between HS256 and RS256?
HS256 uses a shared secret key (symmetric HMAC-SHA256) — the same key is used to both sign and verify. RS256 uses an RSA key pair (asymmetric) — the private key signs and the public key verifies. RS256 is preferred in multi-service architectures where services need to verify tokens without being able to issue them.

Related tools

JSON Formatter Base64 Encode Base64 Decode Hash Generator Timestamp Converter