Decode a JSON Web Token (JWT) to inspect its header, payload, and signature
To decode a JWT, paste the token into the box and the tool splits it into header and payload and pretty-prints the JSON. Expiry and issued-at claims are shown as readable dates. Decoding happens entirely in your browser, so nothing is sent to a server, and the signature is not verified.
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is made of three base64url-encoded parts separated by dots: the header, the payload, and the signature — written as header.payload.signature.
The header describes the token type and signing algorithm. The payload contains the claims (such as the subject, issued-at time, and expiration). The signature is used by the issuer to verify that the token has not been tampered with.
This decoder splits the token, base64url-decodes the header and payload, and pretty-prints them as JSON. It does not verify the signature — anyone can read a JWT, so never store secrets in the payload.