Does this verify the signature?

No. The decoder only reads the header and payload. To verify an HS256 signature with your secret, use the JWT Inspector.

Is my token sent to a server?

No. Decoding runs entirely in your browser and the token never leaves the page.

Why can I read the payload without a secret?

JWT payloads are Base64URL-encoded, not encrypted. Anyone with the token can read the claims, which is why you should never put secrets in a payload.

What if my token is malformed?

If the token doesn't have three segments, or the header or payload isn't valid Base64URL JSON, the tool shows a clear error instead of garbled output.

JWT Decoder

JWT Decoder splits a JSON Web Token into its three parts and Base64URL-decodes the header and payload into clean, formatted JSON. Paste a token and instantly see the algorithm, claims and signature.

Decoding happens locally in your browser — the token is never sent to a server. Note that this tool reads a token but does not verify its signature.

JSON Web Token

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "iat": 1516239022
}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

This tool only decodes the token — it does not verify the signature. Anyone can read a JWT, so never trust an unverified payload. Use the JWT Inspector to check an HS256 signature with your secret.

How to use JWT Decoder

1
Paste your token
Drop a JWT (it usually starts with eyJ) into the input box. A sample token is loaded so you can see how it works.
2
Read the header and payload
The header and payload are decoded into formatted JSON in two panels, each with a copy button.
3
Inspect the signature
The third segment — the signature — is shown as-is. Use the JWT Inspector if you also want to verify it.

What is a JSON Web Token?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It has three Base64URL-encoded segments separated by dots: a header describing the signing algorithm and token type, a payload carrying the claims (such as the subject, issuer and expiry), and a signature that lets the recipient confirm the token hasn't been tampered with.

JWTs are widely used for authentication and authorization. After a user logs in, a server issues a signed token; the client then sends it with each request, and the server verifies the signature instead of looking the session up in a database. Because the payload is only encoded — not encrypted — anyone holding a token can read its contents.

Decoding vs verifying

Decoding a JWT simply reverses the Base64URL encoding to reveal the header and payload — no secret is required, and this tool does exactly that. It is perfect for debugging: checking which claims a token carries, what algorithm it uses, or when it expires.

Verifying a JWT is different. It uses the signing secret (for HS256) or public key (for RS256) to recompute the signature and confirm the token is authentic and unmodified. Never trust the contents of a decoded-but-unverified token in a security decision. When you need verification, use the JWT Inspector, which checks HS256 signatures with your secret.

Frequently asked questions

Does this verify the signature?: No. The decoder only reads the header and payload. To verify an HS256 signature with your secret, use the JWT Inspector.
Is my token sent to a server?: No. Decoding runs entirely in your browser and the token never leaves the page.
Why can I read the payload without a secret?: JWT payloads are Base64URL-encoded, not encrypted. Anyone with the token can read the claims, which is why you should never put secrets in a payload.
What if my token is malformed?: If the token doesn't have three segments, or the header or payload isn't valid Base64URL JSON, the tool shows a clear error instead of garbled output.

Last updated: 2026-06-16