{ } JSON Workbench0 network requests. Check DevTools

"JWT Decoder":{ }

Paste a JSON Web Token and instantly see its decoded header and payload as colored JSON, plus the raw signature. Tokens are live credentials, so this runs 100% in your browser: zero network requests, verify in DevTools. Accepts raw tokens or full Bearer header values. Decode-only: signatures should be verified server-side.

What is a JWT decoder?

A JSON Web Token has three base64url segments: header.payload.signature. The header and payload are plain JSON: base64url is an encoding, not encryption, so anyone holding a token can read its claims. This tool splits the token and pretty-prints both parts so you can debug auth flows, inspect expiry, and check claims, entirely on your machine. Because tokens are live credentials, decoding them locally matters: pasting a real token into a site that uploads it is handing over a session.

Edge cases & gotchas

  • Base64url uses - and _ instead of + and /, with padding stripped, so a plain base64 decoder often fails on JWTs.
  • exp is seconds, not milliseconds (a common off-by-1000 bug).
  • Decoding ≠ trusting: always verify the signature server-side before acting on claims.
  • An alg: none token is unsigned. Reject it in production.
  • Five segments means JWE (encrypted), which genuinely cannot be read without the key.

Registered claims reference

ClaimMeaning
issIssuer
subSubject (user id)
audAudience
expExpiry (Unix seconds)
nbfNot valid before
iatIssued at
jtiToken id (replay protection)

How to use

  1. Paste a JWT into the Input pane. A raw token or a full Authorization: Bearer … value both work.
  2. The decoded header, payload, and raw signature appear instantly as colored JSON.
  3. Check the claims: exp/iat/nbf are Unix timestamps (seconds).
  4. Copy the decoded JSON or inspect individual claims.
  5. Nothing is uploaded: decoding happens entirely in your browser.

Examples

Decode a token

Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIn0.sig
Output
{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": { "sub": "123", "name": "Ada" },
  "signature": "sig"
}

Bearer header value works too

Input
Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMifQ.x
Output
{
  "header": { "alg": "HS256", "typ": "JWT" },
  "payload": { "sub": "123" },
  "signature": "x"
}

FAQ

Is my token sent to a server?

No. Decoding runs 100% in your browser. Open DevTools → Network and verify: zero requests. Tokens are credentials; never paste them into tools that upload them.

Does this verify the signature?

No, it decodes only. Signature verification requires the signing secret or public key and should happen server-side. The raw signature segment is shown for reference.

Why can a JWT be decoded without the secret?

The header and payload are just base64url-encoded JSON: encoding, not encryption. The secret only signs the token; it doesn't hide its contents. Never put sensitive data in a JWT payload.

How do I read exp / iat / nbf?

They're Unix timestamps in seconds: exp = expiry, iat = issued-at, nbf = not-before. Multiply by 1000 for JavaScript's new Date(ms).

What if my token has only two segments?

That's not a signed JWT (JWS). Unsecured JWTs (alg: none) end with a trailing dot; encrypted JWEs have five segments and cannot be decoded without the key.

Related tools