Skip to content
Scratchpad
Your text never leaves your browser

JWT Decoder

See what's inside your JWT. We won't tell anyone.

Token

What this does

DEVS: atob(base64url) → JSON.parse(). Splits on dots, decodes header and payload. No verification (that needs the secret).

Paste a JWT and see what's actually in it. A JWT is three chunks of base64url-encoded JSON separated by dots. Header, payload, signature. That's it. The header and payload are just encoded, not encrypted, which means anyone can read them. This tool splits on the dots and decodes the first two parts. The signature stays as raw base64 because verifying it requires the secret or public key (which you shouldn't paste into websites, including this one).

The header typically contains two fields: alg (the signing algorithm, usually RS256 or HS256) and typ (almost always "JWT"). Sometimes you'll see a kid (key ID) in there too, which tells the verifier which key to use. Not exciting, but useful when debugging auth issues.

The payload is where the interesting stuff lives. Standard claims include sub (subject, usually a user ID), iat (issued at, Unix timestamp), exp (expiration, also Unix timestamp), iss (who issued it), and aud (intended audience). Most JWTs also carry custom claims: roles, permissions, email addresses, whatever the auth system decided to pack in there. This tool pretty-prints all of it so you can actually read it.

Common debugging scenarios where this helps: your API returns 401 and you need to check if the token expired (compare exp against the current time). Or the token works in staging but not production because the aud claim doesn't match. Or your auth middleware rejects tokens that are technically valid but were issued a few seconds in the future because of clock skew between servers. All of these become obvious once you can see the actual payload.

One thing worth understanding: decoding a JWT does not mean trusting it. Anyone can create a JWT with any payload they want. The signature is what proves it's legitimate, and verifying that signature requires the server's secret or public key. This tool shows you what's in the token. It doesn't tell you whether the token is genuine. Never make authorization decisions based on a decoded-but-unverified JWT.

It auto-decodes as you paste, so results are instant. Header gets a blue label, payload gets green, signature gets gray. Color-coded so you can tell them apart at a glance. Timestamps are converted to human-readable dates because nobody thinks in Unix epochs.

Everything happens in your browser. Your tokens never leave the page. This matters because JWTs often contain user IDs, emails, roles, and session data you probably don't want sitting in someone else's server logs.