JWT Decoder

Decode JSON Web Tokens (JWT) to view header and payload claims instantly, with optional HS256 signature verification.

JWT Decoder

Decode JSON Web Tokens (JWT) to view header and payload instantly - runs locally in your browser.

Encoded JWT

Format: base64url(header).base64url(payload).base64url(signature)

Signature verification (optional)

Status

Token: Valid structure

Algorithm: HS256

Signature: Checking…

DECODED PAYLOAD

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}

Payload JSON ready to copy.

Tip: Paste a JWT and instantly view the decoded header + payload JSON. If the token uses HS256, you can optionally verify the signature by entering the secret.

JWT decoding happens locally in your browser. Nothing is uploaded or stored.

How the JWT Decoder works

A JSON Web Token consists of three dot-separated parts: header, payload, and signature. The header and payload are base64url-encoded JSON objects.

This tool decodes those two parts into readable JSON so you can inspect claims and debug authentication flows quickly.

If the token uses the HS256 algorithm, the tool can recompute the HMAC SHA-256 signature locally and compare it to the token’s signature.

Header: Contains metadata such as alg (algorithm) and typ (token type).
Payload: Contains claims like sub, exp, roles, scopes, and custom fields.
Signature: Detects tampering; HS256 can be verified with a shared secret.
Local execution: All decoding and verification happen in your browser.

When to use a JWT decoder

JWT decoders are essential when APIs reject requests, tokens expire unexpectedly, or claims don’t match what your backend expects.

They also help verify that authentication providers are issuing correct claims before rolling out changes to production.

API debugging: Inspect Bearer tokens sent in Authorization headers.
Auth troubleshooting: Confirm exp, iat, aud, and issuer values.
Role checks: Verify scopes, permissions, and custom claims.

Security notes and best practices

Decoding a JWT does not make it trustworthy. Anyone can base64-decode a token, so signature verification and proper backend validation are critical.

Never rely on decoded JWT data alone for authorization decisions without server-side verification.

Decoding: Shows contents but does not guarantee authenticity.
Verification: HS256 verification checks integrity but not expiration or audience.
Production use: Always validate tokens server-side.

FAQ

Does this JWT decoder upload my token?

No. Decoding and verification run entirely in your browser. Tokens are never uploaded or stored.

Can it verify JWT signatures?

Yes, for HS256 tokens. Enter the shared secret to verify the signature. Other algorithms are decoded but not verified.

Why does my token show an error?

JWTs must contain three dot-separated parts and valid base64url-encoded JSON. If the format or encoding is invalid, decoding will fail.

Is decoding the same as verifying?

No. Decoding only reads the contents of the token. Verification checks that the signature matches and the token hasn’t been altered.

What claims should I look for?

Common claims include exp (expiry), iat (issued at), sub (subject or user id), aud (audience), iss (issuer), and app-specific custom claims.