JWT Decoder

Decode JWT tokens locally in your browser

⚠️ Important Security Notice: This tool only decodes JWT tokens - it does NOT verify signatures. Decoding is not the same as validation. Never trust decoded data without proper signature verification on your server.

JWT Token

Enter a JWT token to decode its header and payload

Header

Payload

Signature (Base64URL)

What is JWT Decoding?

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. A JWT consists of three parts separated by dots: Header.Payload.Signature. This tool decodes the Base64URL-encoded header and payload to reveal their JSON content.

How to Use

Paste your JWT token into the input field
Click "Decode JWT" to see the decoded header and payload
Review the decoded information in formatted JSON
Copy individual sections if needed

Example

Input (JWT Token):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Decoded Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Understanding JWT Structure

Header: Contains metadata about the token, including the signing algorithm (alg) and token type (typ)
Payload: Contains the claims - statements about the user and additional data
Signature: Used to verify the token hasn't been tampered with (requires the secret key)

Security Considerations

Critical: Decoding a JWT is NOT the same as verifying it. This tool only reveals the content of the token - it does not validate the signature. Anyone can decode a JWT, but only parties with the secret key can verify its authenticity. Always verify JWT signatures on your server before trusting the data.

Privacy Notice

All JWT decoding happens entirely in your browser. Your tokens are never transmitted to any server, ensuring complete privacy and security. This is especially important since JWTs often contain sensitive authentication information.

Frequently Asked Questions

What is the difference between decoding and verifying a JWT?

Decoding simply reveals the content of the JWT by Base64URL-decoding the header and payload. Verification checks the signature to ensure the token is authentic and hasn't been tampered with. This tool only decodes - it does not verify signatures. Signature verification requires the secret key and should always be done on your server.

Can I use this tool to validate JWT signatures?

No, this tool only decodes the JWT to show its contents. Signature validation requires the secret key used to sign the token, which should never be exposed in a browser. Always verify JWT signatures on your backend server using a proper JWT library.

Why am I getting an "Invalid JWT format" error?

JWTs must have exactly three parts separated by dots (header.payload.signature). This error occurs if the token is incomplete, corrupted, or not a valid JWT. Make sure you've copied the complete token including all three parts.

What are the common JWT claims?

Common JWT claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). You may also see custom claims specific to your application.

Is my JWT token sent to a server?

No, all decoding happens in your browser. Your JWT token never leaves your device, ensuring complete privacy and security. This is crucial since JWTs often contain sensitive authentication and authorization information.

What is Base64URL encoding?

Base64URL is a variant of Base64 encoding that uses URL-safe characters. It replaces + with - and / with _, and omits padding (=) to make tokens safe for use in URLs and HTTP headers.