Inspect the payload (claims) section of a JWT, the second part of the token. The payload contains the actual data: user ID, roles, expiry time, and any custom claims your application adds.
VIEW
A JWT consists of three Base64URL-encoded parts separated by dots. The tool splits the token, fixes URL-safe base64 encoding (replacing - with + and _ with /), pads to a multiple of 4 characters, then decodes with atob() and parses with JSON.parse(). All of this runs in your browser. Our servers are not involved.
Your JWT is decoded entirely in your browser. Our servers are not involved at any point. Treat tokens as sensitive credentials and avoid pasting production tokens in shared or public environments. You can check this yourselfin your browser's DevTools Network tab.
JSON Web Token (JWT) is defined in RFC 7519 (IETF, 2015). A JWT consists of three Base64url-encoded sections separated by .: header, payload, and signature. Base64url encoding is defined in RFC 4648 §5, which substitutes + with - and / with _ and omits padding, making it safe for use in URLs without percent-encoding. Signed JWTs (JWS) are specified separately in RFC 7515.
alg (algorithm), typ (token type)sub, iss, exp, iat, audTo inspect the raw Base64 segments of a token, try Base64. For verifying the signing input by hash, use the hash generator. To pretty-print decoded payloads, see the JSON formatter.