Is my JWT sent to a server?

No. Decoding is done entirely in your browser using JavaScript.

Does this verify the JWT signature?

The tool decodes the payload without verifying the cryptographic signature, verification requires the secret or public key. This tool is for inspection only, not security validation.

What is Base64url encoding?

JWTs use Base64url, a URL-safe variant of Base64 that replaces + with - and / with _. This makes tokens safe to include in URLs without additional encoding.

Can I see the raw header and payload?

Yes. The tool shows both the decoded JSON and the raw Base64url-encoded string for each section of the token.

JWT decoder

JWT decoder is a browser-based inspection tool for JSON Web Tokens that decodes the header, payload, and expiry claims entirely client-side. All inspection runs in your browser, paste any token starting with "ey" and see all claims formatted instantly.

JWT token

⚠ Signature not verified, client-side only

VIEW

Runs entirely in your browser

Dedicated pages

Direct links for each decoder view.

JWT decoder

Decode a JWT token and inspect the header and payload. Runs entirely in your browser.

JWT header decoder

Decode and inspect the header section of a JWT. See the algorithm (alg) and token type (typ) claims.

JWT payload decoder

Decode and inspect the payload (claims) of a JWT. See user ID, roles, expiry, and any custom claims.

Decode JWT Token Offline

Decode a JWT token completely offline and without uploading it. All decoding runs in your browser using standard JavaScript. No account required.

Decode JWT Token

Decode a JWT token and inspect its header and payload claims in your browser. Free, private. Runs in your browser.

JWT Payload Decoder

Decode and inspect the payload claims of a JWT in your browser. See user ID, expiry, roles, and custom claims. Runs in your browser.

How to decode a JWT

Paste your JWT token into the input area, it starts with ey and contains two dots separating three parts.
The header, payload, and signature sections are decoded and displayed separately.
Inspect the claims in the payload, expiry time, issuer, subject, and custom fields.
Check whether the token has expired based on the exp claim.

Common uses

Inspecting the claims inside a JWT from an API response during debugging, use JSON formatter to pretty-print the decoded payload
Checking the expiry time of an authentication token to troubleshoot session issues. The Unix timestamp converter helps translate the exp claim to a readable date
Verifying the structure and contents of a JWT before implementing token handling

Technical specification

Algorithm or formula: Token is split on the two dots into header, payload, and signature segments. Each Base64url segment is normalised (+, / and padding) then decoded with atob and parsed via JSON.parse. UTF-8 handling uses percent-encoded byte expansion to preserve non-ASCII claims.
Browser API or library: Native atob and JSON.parse. No external library.
Input limits: Any JWS-encoded token small enough for the browser to hold in memory.
Output: Decoded JSON header, decoded JSON payload, and the raw Base64url signature segment.
Known limitations: Signature verification is not performed. Use this tool for inspection only; trust decisions need a server-side check against the signing key.

Frequently asked questions

Is my JWT sent to a server?: No. Decoding is done entirely in your browser using JavaScript.
Does this verify the JWT signature?: The tool decodes the payload without verifying the cryptographic signature, verification requires the secret or public key. This tool is for inspection only, not security validation.
What is Base64url encoding?: JWTs use Base64url, a URL-safe variant of Base64 that replaces + with - and / with _. This makes tokens safe to include in URLs without additional encoding.
Can I see the raw header and payload?: Yes. The tool shows both the decoded JSON and the raw Base64url-encoded string for each section of the token.

Reviewed and tested May 25, 2026.