JWT decoder
JWT decoder is a browser-based inspection tool for JSON Web Tokens that decodes the header, payload, and expiry claims entirely client-side. All inspection runs in your browser, paste any token starting with "ey" and see all claims formatted instantly.
JWT token
⚠ Signature not verified, client-side only
VIEW
Runs entirely in your browser
Dedicated pages
Direct links for each decoder view.
JWT decoder
Decode a JWT token and inspect the header and payload. Runs entirely in your browser.
JWT header decoder
Decode and inspect the header section of a JWT. See the algorithm (alg) and token type (typ) claims.
JWT payload decoder
Decode and inspect the payload (claims) of a JWT. See user ID, roles, expiry, and any custom claims.
Decode JWT Token Offline
Decode a JWT token completely offline and without uploading it. All decoding runs in your browser using standard JavaScript. No account required.
Decode JWT Token
Decode a JWT token and inspect its header and payload claims in your browser. Free, private. Runs in your browser.
JWT Payload Decoder
Decode and inspect the payload claims of a JWT in your browser. See user ID, expiry, roles, and custom claims. Runs in your browser.
How to decode a JWT
- Paste your JWT token into the input area, it starts with ey and contains two dots separating three parts.
- The header, payload, and signature sections are decoded and displayed separately.
- Inspect the claims in the payload, expiry time, issuer, subject, and custom fields.
- Check whether the token has expired based on the exp claim.
Common uses
- Inspecting the claims inside a JWT from an API response during debugging, use JSON formatter to pretty-print the decoded payload
- Checking the expiry time of an authentication token to troubleshoot session issues. The Unix timestamp converter helps translate the exp claim to a readable date
- Verifying the structure and contents of a JWT before implementing token handling
Technical specification
- Algorithm or formula: Token is split on the two dots into header, payload, and signature segments. Each Base64url segment is normalised (+, / and padding) then decoded with
atoband parsed viaJSON.parse. UTF-8 handling uses percent-encoded byte expansion to preserve non-ASCII claims. - Browser API or library: Native
atobandJSON.parse. No external library. - Input limits: Any JWS-encoded token small enough for the browser to hold in memory.
- Output: Decoded JSON header, decoded JSON payload, and the raw Base64url signature segment.
- Known limitations: Signature verification is not performed. Use this tool for inspection only; trust decisions need a server-side check against the signing key.
Frequently asked questions
- Is my JWT sent to a server?
- No. Decoding is done entirely in your browser using JavaScript.
- Does this verify the JWT signature?
- The tool decodes the payload without verifying the cryptographic signature, verification requires the secret or public key. This tool is for inspection only, not security validation.
- What is Base64url encoding?
- JWTs use Base64url, a URL-safe variant of Base64 that replaces + with - and / with _. This makes tokens safe to include in URLs without additional encoding.
- Can I see the raw header and payload?
- Yes. The tool shows both the decoded JSON and the raw Base64url-encoded string for each section of the token.
Reviewed and tested May 26, 2026.