JWT Decoder

What is a JWT decoder?

A JWT decoder converts the Base64-encoded parts of a JSON Web Token into readable JSON. It allows developers to inspect the header and payload to understand token contents without verifying the signature.

What is a JSON Web Token used for?

JWTs are widely used for authentication and authorization in modern web applications. They are commonly used in APIs, OAuth systems, and identity providers to securely transmit user identity and permissions.

Is it safe to paste production tokens here?

This JWT decoder runs entirely in your browser using client-side JavaScript. Your token is not transmitted, logged, or stored on any server.

Can I verify the signature?

No. Signature verification requires your private secret key or public certificate. To keep your secrets safe, we do not ask for them and therefore cannot verify the signature.

What happens if the token is expired?

The tool will still decode it so you can see why it expired (by checking the 'exp' claim), but the token itself would be rejected by your API.

What is the difference between decoding and verifying a JWT?

Decoding a JWT simply converts the Base64-encoded header and payload into readable JSON. Verifying a JWT checks the signature using a secret key or public key to ensure the token has not been tampered with. This tool only decodes tokens and does not perform signature verification.

Does this handle encrypted JWTs (JWE)?

No, this tool only supports standard signed JWTs (JWS). Encrypted tokens require a decryption key, which is not supported in this public tool.

Can I decode a JWT without the secret key?

Yes. Decoding does not require a secret key because it only reads the Base64-encoded header and payload. After decoding, you can format the JSON payload using our JSON Formatter to make the claims easier to read.

Why is the output just random characters?

Ensure you pasted the full token including the dots (.). If the token uses a non-standard encoding, it might not decode correctly.