JWT Decoder — Decode JSON Web Tokens
Decode JWT tokens online — view header, payload, and signature. Free JWT decoder with expiry detection. Client-side only, tokens stay in browser.
🔒 Tokens are decoded entirely in your browser — nothing is sent to any server.
Three steps to get started
Paste your JWT
Paste a JWT token into the text area. It should start with "eyJ" and contain two dots separating the three parts.
View decoded parts
The header, payload, and signature are decoded and displayed instantly. Check the expiry badge to see if the token is valid.
Copy any section
Use the Copy button next to any section to copy the formatted JSON for use in debugging or documentation.
Understanding JSON Web Tokens
JWTs have become the standard token format for web authentication. When you log into a web application, the server typically returns a JWT that your browser stores and sends with every subsequent API request. The server can verify the token without looking it up in a database — because the signature proves it was issued by someone with the secret key.
The three parts of a JWT
- Header — contains the token type (
typ: "JWT") and signing algorithm (alg: "HS256","RS256", etc.) - Payload — contains claims: data about the user (
sub,email,role) and metadata (iat,exp) - Signature — a cryptographic signature of the header + payload, verifiable only with the signing key
Important: JWTs are encoded, not encrypted
A common misconception: JWTs are not encrypted. The header and payload are only Base64URL-encoded, which anyone can decode without a key — as this tool demonstrates. Never put sensitive data like passwords or payment details in a JWT payload unless you use JWE (JSON Web Encryption). The signature ensures the token was not modified, but the contents are readable by anyone who has the token.
All decoding happens in your browser. No tokens are ever sent to a server.