Skip to content

JWT Decoder

Decode a JWT header and payload, then inspect the claims as JSON.

JWT decoder

A JWT is a token often used by web apps and APIs. Paste a token here to read the header and payload in plain JSON.

Reading JWTs

A JWT is encoded, not encrypted. If the payload contains user IDs, roles, or emails, anyone with the token can decode and read that part.

Treat real access tokens like credentials. Decode sample or test tokens when possible, and avoid sharing production tokens in tickets, chat, or screenshots.

JWT parts

A JWT has three parts separated by dots:

  1. Header: Token type and signing algorithm.
  2. Payload: Claims such as user ID, role, issuer, and expiry time.
  3. Signature: Used by the server to check that the token was not changed.

Useful when

  • Debug login problems
  • Check token expiry
  • Read API auth claims
  • Inspect sample tokens in docs

How to use JWT Decoder

The JWT decoder reads the header and payload of a token so you can inspect claims. It is meant for debugging, not for proving that a token is trusted.

Developers often use this page when they need jwt decoder, jwt decode, jwt parser, and decode jwt.

Privacy and data handling

This decoder is useful for reading JWT headers and payloads, but decoded tokens can expose sensitive claims.

  • Normal decoding happens on the page and does not require a server upload.
  • JWT payloads are not encrypted by default, so avoid pasting live user tokens.
  • Do not trust a decoded token until its signature and expiration have been verified by your application.

Examples

Read common JWT claims

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJyb2xlIjoiYWRtaW4iLCJleHAiOjE3MDAwMDAwMDB9.signature

Output

{
  "sub": "123",
  "role": "admin",
  "exp": 1700000000
}

The payload is readable after decoding. You still need signature verification before trusting it.

Steps

  1. 1Paste a JWT into the input box.
  2. 2Read the decoded header and payload.
  3. 3Check fields like exp, iss, aud, sub, and scopes.

Common use cases

  • Debug auth problems in an API request.
  • Check token expiration during local development.
  • Inspect claims returned by an identity provider.

Practical tips

  • Decoding is not the same as verification.
  • Do not share real user tokens in tickets or screenshots.
  • Always verify signatures on the server before trusting claims.

FAQ

Is it safe to decode a JWT?

Decoding a JWT only reads its Base64URL parts. Still, real tokens may contain sensitive claims, so handle them carefully.

Does this verify the JWT signature?

No. A decoder shows the header and payload. Signature verification needs the right secret or public key.

Related Developer Tools

Base64 Encoder/Decoder

Encode text and images to Base64, or decode Base64 text.

JSON Formatter

Format, validate, or minify JSON without leaving the page.

Timestamp Converter

Convert Unix timestamps to dates and dates to timestamps.

JWT Generator

Create signed JSON Web Tokens for API and auth testing.