JWT decoder

Decode a JSON Web Token to inspect its header and payload. Decoding happens locally — your token is never sent anywhere.

Token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

About this JWT decoder

Paste a JSON Web Token to read its header and payload as nicely formatted JSON, including the expiry time if present. Because a JWT is a credential, the decoding happens entirely in your browser — your token is never transmitted.

What’s inside a JWT

A JWT has three dot-separated parts: a header (algorithm and type), a payload (the claims — who, what, when), and a signature. The header and payload are just Base64URL-encoded JSON, which is why anyone can read them — so never put secrets in a payload.

FAQ

Does this verify the signature?

No — it only decodes the token. Verifying the signature requires the secret or public key and should be done on the server, never in the browser.

Is it safe to paste my token here?

Yes — decoding is 100 percent in-browser and nothing is sent anywhere. Never paste real tokens into tools that transmit them to a server.