JWT Decoder

Decode a JSON Web Token's header and payload — locally, never verified online.

Popular toolMerge PDF filesCombine PDFs in seconds. Nothing uploads; it all runs on your device.Open

The signature is not verified — this only decodes the header and payload so you can read the claims. Verify signatures on your server with the signing key, and avoid pasting production tokens anywhere online.

How to decode a JWT

Paste the full token — the three dot-separated parts — into the box. The header and payload are split on the dots, base64url-decoded, and shown as formatted JSON so you can read every claim at a glance.

What the parts mean

The header names the signing algorithm and token type. The payload holds the claims: who the token is for, when it expires, and any custom data. The third part is the signature, which this tool deliberately leaves unverified.

Questions

Does this verify the token's signature?
No. This tool only base64url-decodes the header and payload so you can inspect the claims. Verifying the signature requires the secret or public key and should happen on your server, never in a public web page.
Is it safe to paste a real token here?
Decoding runs entirely in your browser and nothing is uploaded. That said, a JWT can grant access while it's valid — avoid pasting production tokens into any online tool, and prefer short-lived or test tokens.