JWT decoder
Paste a JSON Web Token and read its header and payload as formatted JSON, right in your browser.
This decodes only. It does not verify the signature, so it cannot confirm a token is authentic or unmodified. Nothing you paste is uploaded, the decode runs locally in your browser tab.
How JWT decoding works
A JWT is three parts joined by dots: a header, a payload, and a signature, each Base64url-encoded. The header and payload are plain JSON once decoded, typically holding things like the signing algorithm, token type, subject, issue time, and expiry. The signature is different: it is a cryptographic value computed over the header and payload using a secret or private key, and checking it requires that key, which is why a browser-only tool can decode the contents of a token but cannot tell you whether it is valid.
Example
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cHeader:
{
"alg": "HS256",
"typ": "JWT"
}
Payload:
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}Questions
- Does this verify the signature?
- No. This decodes the header and payload, which are only Base64url text, not encrypted or protected. It does not check the third part (the signature) against a secret or public key, so it cannot tell you whether a token is genuine or has been tampered with. Signature verification needs the issuer's key and belongs on your server, not in a browser tool.
- Is it safe to paste a real token here?
- The decode step runs entirely in your browser tab and nothing is sent anywhere, so pasting a token does not leak it over the network. That said, treat access and ID tokens like passwords: prefer a disposable or expired token when you just want to inspect the shape of a payload.
- Why do I get an error decoding my token?
- A JWT is three dot-separated Base64url parts: header, payload, signature. If you paste only part of a token, extra whitespace, or a non-JWT string, the JSON parse step fails. Make sure you copied the full token, including both dots.
Need to chain more steps, or verify a hash instead? The full Data Forge workbench covers Base64, hex, hashing, and ciphers too, or try the Base64 encoder/decoder and timestamp converter.