JWT Decoder

Paste a JWT and see what's actually in it. A JWT is three chunks of base64url-encoded JSON separated by dots: header, payload, signature. The header and payload are just encoded, not encrypted, which means anyone can read them. This tool splits on the dots and decodes the first two parts. The signature stays as raw base64 because verifying it requires the secret or public key.

Common use cases

Debugging 401s. Your API returns unauthorized and you need to check if the token expired. Compare the exp claim against the current time. Timestamps here get converted to human-readable dates because nobody thinks in Unix epochs.

Environment mismatches. The token works in staging but not production because the aud claim doesn't match. Or the iss points to the wrong auth server. All obvious once you can see the payload.

Understanding what's in a token. Standard claims include sub (user ID), iat (issued at), exp (expiration), iss (issuer), and aud (audience). Most JWTs also carry custom claims: roles, permissions, email, whatever the auth system packed in.

Things to know

Decoding a JWT does not mean trusting it. Anyone can create a JWT with any payload they want. The signature is what proves it's legitimate, and verifying that requires the server's secret or public key. This tool shows you what's in the token. It doesn't tell you whether the token is genuine. Never make authorization decisions based on a decoded-but-unverified JWT.

The header usually contains alg (signing algorithm, typically RS256 or HS256) and typ (almost always "JWT"). Sometimes a kid (key ID) appears too, telling the verifier which key to use. Not exciting, but useful when debugging auth issues across multiple key rotations.

Privacy

Everything happens in your browser. Your tokens never leave the page. This matters because JWTs often contain user IDs, emails, roles, and session data you probably don't want in someone else's server logs.