JWT Decoder

Decode JSON Web Tokens (JWTs) to inspect their header and payload.

JWT Decoder

Paste a JSON Web Token (JWT) to decode and inspect its header and payload.

Encoded JWT

This tool decodes the JWT for inspection but does NOT validate the signature. For security critical operations, always ensure signature validation is performed on your backend.

Related Tools

Finding recommendations...

Rate This Tool

Be the first to rate it!

Comments (0)

Share your thoughts or ask questions about this tool.

No comments yet. Be the first to comment!

Overview

The JWT Decoder allows you to easily inspect the contents of a JSON Web Token (JWT). JWTs are compact, URL-safe means of representing claims to be transferred between two parties. This tool breaks down a JWT into its three constituent parts: Header, Payload, and Signature. It then Base64Url decodes the Header and Payload sections and pretty-prints the resulting JSON, allowing you to view the claims and metadata within the token. Note: This tool *only decodes* the token; it *does not validate the signature*.

Use Cases

Debugging authentication and authorization flows in web applications.
Understanding the claims (e.g., user ID, roles, expiration time) contained within a JWT.
Verifying the structure and content of JWTs issued by an identity provider or your own auth server.
Learning about the structure of JSON Web Tokens.
Quickly inspecting tokens during development or testing phases.

How It Works

Paste the full JWT string into the input area. Click the "Decode JWT" button. The tool first splits the JWT string by the period (`.`) character into three segments. The first segment is the Base64Url-encoded Header, and the second is the Base64Url-encoded Payload. These segments are then decoded from Base64Url to their original JSON string representations. Finally, these JSON strings are parsed and pretty-printed for display. The third segment, the Signature, is displayed as is, as it cannot be decoded without the secret or public key.

Tips for Better Usage

**Security Warning:** Never paste JWTs containing sensitive production credentials or personal information into untrusted online tools. While this tool operates client-side, it_s a good general security practice.
This tool does not validate the JWT_s signature. Signature validation requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms) used to sign the token, which is not handled by this decoder.
Common claims in a JWT payload include `iss` (issuer), `sub` (subject), `aud` (audience), `exp` (expiration time), `nbf` (not before time), `iat` (issued at time), and `jti` (JWT ID).
The header typically contains the token type (`typ`, usually "JWT") and the signing algorithm (`alg`, e.g., "HS256", "RS256").

Overview

Use Cases

How It Works

Tips for Better Usage

Frequently Asked Questions

What is a JSON Web Token (JWT)?

Does this tool verify the signature of the JWT?

What are the three parts of a JWT?

Why is my JWT decoding to strange characters or failing?

Is my JWT data sent to a server?