eToolbox
EN
English Svenska Dansk Norsk Suomi

JWT Decoder

Paste a JSON Web Token to decode its header and payload from base64url into readable JSON. The signature is not verified - this only reads claims, and everything stays in your browser.

Loading…

About the JWT Decoder

A JSON Web Token is three base64url-encoded parts joined by dots: a header, a payload, and a signature. This tool splits the token, decodes the header and payload from base64url back into readable JSON, and shows the claims inside - things like iss, sub, exp, and any custom data. It is the quickest way to see what an access token actually contains while debugging auth flows.

How to use it

  • Paste the full token, including all three dot-separated parts.
  • Read the decoded header to see the algorithm and type.
  • Read the payload to inspect the claims and expiry.
  • Compare claims against what your application expects.

This is a decoder, not a verifier: it does not check the signature, so a decoded token is not proof that it is authentic or untampered - always verify signatures server-side with the signing key. JWT payloads are only encoded, not encrypted, so never assume they are secret. Decoding runs entirely in your browser, so your tokens are never uploaded.

Frequently asked questions

Does this JWT decoder verify the signature?

No. It only decodes the header and payload so you can read the claims. It does not validate the signature, so a token decoding successfully does not mean it is authentic.

Can it read the expiry of my token?

Yes. If the payload includes the standard exp claim, it appears in the decoded JSON as a Unix timestamp that you can compare against the current time.

Is the JWT payload encrypted?

No. The header and payload are only base64url-encoded, not encrypted. Anyone with the token can read them, so never store secrets in a JWT payload.

Is my token sent to a server when I decode it?

No. Decoding happens entirely in your browser, so your token and its claims are never uploaded.

Related tools

JSON Formatter Paste JSON to format it with clean, consistent indentation. Invalid input is flagged with an error message, and everything runs locally in your browser. JSON Minifier Paste formatted JSON to compress it into a single line with no insignificant whitespace. The tool reports how many characters were removed, all in your browser. JSON Validator Paste JSON to check whether it is valid. When it is not, the validator reports the error message and the line and column where parsing failed - all in your browser. JSON to CSV Paste a JSON array of objects to convert it into CSV. Columns are taken from the union of all keys, fields with commas or quotes are escaped, and you can download the result - all locally. CSV to JSON Paste CSV with a header row to convert each row into a JSON object. Quoted fields are parsed correctly and numbers, booleans and null are auto-detected - all in your browser. JavaScript Beautifier Paste minified or unformatted JavaScript to reformat it with consistent indentation and spacing. Formatting runs entirely in your browser, so your code is never uploaded.