JWT Decoder
JSON Web Tokens (JWT) are heavily used in modern web authentication, but reading them raw is impossible because they are Base64Url encoded. The JWT Decoder instantly splits your token into its three distinct parts (Header, Payload, and Signature) and formats the JSON data so you can easily verify the claims, tokens scopes, and algorithm types. This parser runs 100% locally in your browser to guarantee the security of your unencrypted identity tokens.
100% Private & Secure
This tool runs completely inside your browser using client-side WebAssembly and JS. Zero data is ever sent to our servers.
Encoded JWT
Paste your JSON Web Token below. The tool will automatically decode and parse the Header and Payload in real-time. Everything happens in your browser.
HEADER (Algorithm & Token Type)
/* Waiting for token... */
PAYLOAD (Data / Claims)
/* Waiting for token... */
SIGNATURE (Verification)
How to use this tool
- Copy your raw JSON Web Token (it should look like a long string of random characters separated by two periods).
- Paste the token into the 'Encoded JWT' textarea on the left.
- The tool will instantly detect the dot (.) separators and split the token.
- The red box displays the decoded Header, revealing the algorithm ('alg').
- The purple box displays the decoded Payload, revealing the user claims (like 'sub', 'exp', or 'roles').
Example Usage
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.xxxxxx
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }When to use this tool
- Debugging frontend authentication flows to ensure the backend is passing the correct User ID (`sub`) in the token.
- Verifying that the token expiration claim (`exp`) is set correctly so users aren't logged out prematurely.
- Checking what OAuth scopes or RBAC (Role-Based Access Control) permissions are embedded in the JWT payload.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. This tool is a 100% Client-Side application. The token decoding happens entirely within your browser using JavaScript's native `atob()` function. Your token is never transmitted over a network or saved to any server log.
Does this tool verify or validate the token signature?
No, this specific tool is purely a 'Decoder'—it only reads the public information inside the token. To mathematically verify that a token has not been tampered with, you need the secret signing key. You can use our JWT Signature Validator tool for that purpose.
Can anyone read the payload of my JWT?
Yes! A standard JWT is only Base64 encoded, not encrypted. Anyone who has the token string can decode the header and payload. You should NEVER put sensitive information like passwords, credit card numbers, or Social Security Numbers inside a JWT payload.
What do the three parts of the JWT mean?
1. The Header identifies the signing algorithm used (like HS256 or RS256). 2. The Payload contains the 'claims' (the actual data payload, such as User ID). 3. The Signature is a secure cryptographic hash used by the server to verify the token hasn't been altered.