JWT Decoder — Decode JSON Web Tokens Online
Decode and inspect JWT tokens instantly in your browser — no uploads, no server, fully private.
Input
Output
What is a JWT Decoder?
Ever been staring at a long string like `eyJhbGciOi...` in an API response and wondered what's actually in it? That's a JWT — a JSON Web Token — and this tool cracks it open in seconds. As defined by RFC 7519, JWTs are compact, URL-safe tokens used for authentication and data exchange. The JWT.io introduction explains the structure well: a JWT has three Base64URL-encoded parts — header, payload, and signature — separated by dots. The MDN atob() docs explain how Base64 decoding works under the hood. If you're working with OAuth2 or OIDC tokens, the OpenID Connect spec defines the standard claims you'll see in payloads. Everything here runs in your browser — your token never leaves your machine.
A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims/data), and the Signature (used to verify the token).
How to Use the JWT Decoder
Paste your JWT token
Copy a JWT token from your application, API response, or browser storage and paste it into the input editor.
Inspect the decoded output
The tool automatically decodes the header and payload as formatted JSON. The signature is also displayed for reference.
Copy or download the result
Use the Copy button to copy the decoded JSON to your clipboard, or Download to save it as a .json file.
JWT Decoding Example
Here is an example of a JWT token and its decoded contents:
JWT Token (Input)
Frequently Asked Questions
Is it safe to paste my JWT token here?
Yes, completely. All decoding happens in your browser — your JWT token is never sent to any server. If your token contains sensitive production data, you can still use this tool safely.
What does the signature section show?
The signature is displayed as a Base64URL-encoded string. Verification requires the secret or public key and is not performed here — this tool only decodes the header and payload content.
Can I decode expired JWT tokens?
Yes. This tool only decodes the token structure — it does not validate expiry (exp), issuer (iss), audience (aud), or any other claims. Expired tokens decode just fine.
What JWT algorithms are supported?
All JWT algorithms work here — HS256, RS256, ES256, PS256, and others — because the decoder only Base64URL-decodes the header and payload without needing to verify the signature.
How is a JWT structured?
A JWT has three dot-separated parts: the header (algorithm and type), the payload (claims like sub, exp, iat), and the signature. Each part is Base64URL-encoded. You can read a detailed overview on Wikipedia: JSON Web Token.