HomeDev Tools › JWT Decoder

JWT Decoder

Decode the header and payload of a JSON Web Token. Warns about expiration. Does not verify the signature (offline).

JWT Decoder decodes a JWT token to reveal its header and payload as readable JSON, no secret key required. Extremely handy for debugging authentication, checking token expiration, or viewing claims like user permissions. Any token you paste here is decoded right on your machine and never sent anywhere.

How to use JWT Decoder

  1. Paste your JWT string (three parts separated by dots: xxxxx.yyyyy.zzzzz).
  2. View the decoded, formatted header and payload.
  3. Check fields like exp (expiration), iat (issued at), and sub (subject) to understand the token.

What parts make up a JWT?

A JWT has three parts separated by dots: Header (the signing algorithm, e.g. HS256), Payload (claims such as user id, permissions, and expiration), and Signature (verifies authenticity). The first two parts are only Base64URL-encoded — not encrypted — so anyone can read their contents without a key.

Why shouldn't you put sensitive data in the payload?

Because the payload can be decoded easily (exactly as this tool does), never put passwords or other secrets in it. The signature only guarantees the token hasn't been tampered with — it doesn't hide the content. If you need to keep the content confidential, you need separate encryption (JWE), or simply leave it out of the token.

Frequently asked questions

Do you need a secret to decode a JWT?

No. The header and payload are only Base64URL-encoded, so they can be read without a key. To check whether the signature is valid, use the JWT Verify tool.

Is my token stored anywhere?

No. All processing runs right in your browser, so no data is ever sent to any server.

How do I know if a token has expired?

Check the exp field in the payload — it's a Unix timestamp. If that time has already passed, the token has expired.

What's the difference between decoding and verifying a JWT?

Decoding just reads the content (no key needed). Verifying checks the signature against a secret to confirm the token was issued by the right party and hasn't been altered.

🔒 JWT Decoder runs entirely in your browser — the data you enter is not sent to any server. Free, no sign-up required. See145 free dev tools more.