JWT Decoder

Decode JSON Web Tokens (JWT) to view header and payload claims instantly - optional HS256 signature verification.

JWT Decoder
Decode JSON Web Tokens (JWT) to view header and payload instantly - runs locally in your browser.
Encoded JWT
Format: base64url(header).base64url(payload).base64url(signature)
Signature verification (optional)
Status
Token: Valid structure
Algorithm: HS256
Signature: Checking…
DECODED PAYLOAD
Payload JSON ready to copy.
Tip: Paste a JWT and instantly view the decoded header + payload JSON. If the token uses HS256, you can optionally verify the signature by entering the secret.
JWT decoding happens locally in your browser. Nothing is uploaded or stored.

How It Works

A JWT has three dot-separated parts: header, payload, and signature. The header and payload are base64url-encoded JSON objects.

This tool decodes those two JSON parts into readable text so you can inspect claims and debug authentication flows quickly.

If the JWT uses HS256, you can optionally verify the signature by computing an HMAC SHA-256 signature locally and comparing it to the token’s signature.

  1. Header: Contains metadata like alg (algorithm) and typ (token type).
  2. Payload: Contains claims like sub, iat, exp, roles, and custom fields.
  3. Signature: Used to detect tampering; HS256 can be verified with a shared secret.

When to Use a JWT Decoder

JWT decoding is helpful when your API rejects requests, a session expires too early, or you need to confirm which claims are being issued by your auth provider.

It’s also useful for quickly validating that a token includes the expected roles, scopes, or tenant identifiers before shipping changes.

  1. API debugging: Inspect Bearer tokens sent in Authorization headers.
  2. Auth troubleshooting: Check exp/iat and confirm claim contents.
  3. Documentation: Copy decoded JSON into bug reports or team docs.

FAQ

Does this JWT decoder upload my token?

No. Decoding happens locally in your browser and nothing is uploaded or stored.

Can it verify JWT signatures?

Yes, optionally for HS256 tokens. Enter the shared secret to verify the signature. Other algorithms are decoded but not verified.

Why does my token show an error?

JWTs must have three parts separated by dots and use base64url-encoded JSON for header and payload. If either part isn’t valid JSON, decoding will fail.

Is decoding the same as verifying?

No. Decoding reads the data inside the token. Verification checks that the signature matches and the token hasn’t been tampered with.

What claims should I look for?

Common ones include exp (expiry), iat (issued at), sub (subject/user id), aud (audience), iss (issuer), and custom app-specific claims.

More Development tools

View all Development tools →
Open Random VIN Generator
Development
Random VIN Generator
Generate random but valid-looking Vehicle Identification Numbers (VINs) for testing and development.
Open tool
Open Random UUID Generator
Development
Random UUID Generator
Generate random UUID v4 values instantly. Create one or hundreds at once and copy them with a single click.
Open tool
Open Print a Test Page
Development
Print a Test Page
Print black and white, color, or CMYK printer test pages instantly to troubleshoot alignment, streaks, and color issues.
Open tool
Open PDF to Markdown Converter
Development
PDF to Markdown Converter
Convert PDF files to clean, readable Markdown text instantly in your browser - fast, client-side processing with full privacy and no uploads.
Open tool