Skip to content
Tool

JWT decoder

Paste a JSON Web Token and read its header and payload as formatted JSON, right in your browser.

This decodes only. It does not verify the signature, so it cannot confirm a token is authentic or unmodified. Nothing you paste is uploaded, the decode runs locally in your browser tab.

Input
Output
Encoding
Cipher
Hash
Data
Text
Recipe · 1 steps
1JWT decodeData

How JWT decoding works

A JWT is three parts joined by dots: a header, a payload, and a signature, each Base64url-encoded. The header and payload are plain JSON once decoded, typically holding things like the signing algorithm, token type, subject, issue time, and expiry. The signature is different: it is a cryptographic value computed over the header and payload using a secret or private key, and checking it requires that key, which is why a browser-only tool can decode the contents of a token but cannot tell you whether it is valid.

Example

Input (JWT)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Output (decoded)
Header:
{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:
{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Questions

Does this verify the signature?
No. This decodes the header and payload, which are only Base64url text, not encrypted or protected. It does not check the third part (the signature) against a secret or public key, so it cannot tell you whether a token is genuine or has been tampered with. Signature verification needs the issuer's key and belongs on your server, not in a browser tool.
Is it safe to paste a real token here?
The decode step runs entirely in your browser tab and nothing is sent anywhere, so pasting a token does not leak it over the network. That said, treat access and ID tokens like passwords: prefer a disposable or expired token when you just want to inspect the shape of a payload.
Why do I get an error decoding my token?
A JWT is three dot-separated Base64url parts: header, payload, signature. If you paste only part of a token, extra whitespace, or a non-JWT string, the JSON parse step fails. Make sure you copied the full token, including both dots.

Need to chain more steps, or verify a hash instead? The full Data Forge workbench covers Base64, hex, hashing, and ciphers too, or try the Base64 encoder/decoder and timestamp converter.