wyreup
dev

JWT Decoder

Decode JWT header and payload. Does NOT verify the signature — for inspection only.

Loading…

About JWT Decoder

JWT Decoder splits a JSON Web Token apart and shows you its header and payload as readable JSON. It's for inspection — reading the claims, checking an expiry, or confirming an issuer — not for verifying authenticity: it does not validate the signature. Decoding happens entirely in your browser, which matters because tokens often carry session identity you don't want sent to a third-party site.

Category
dev
Input
Accepts: text/plain.
Output
Outputs: application/json.
Cost
Free, runs in your browser
Memory
low
Privacy: JWT Decoder runs entirely on your device. Files you provide never leave your browser — no uploads, no server, no tracking. The page works offline once loaded.

Common uses

  • Check the exp claim on a bearer token to see whether it has expired
  • Read the iss and aud claims while debugging an OAuth or OpenID Connect flow
  • Confirm which scopes or roles a token carries before troubleshooting a 403
  • Inspect the alg field in a token header during an auth integration
  • Decode a token from an API response to verify the expected user ID is present
  • Sanity-check a JWT a service issued without pasting it into an untrusted website

Frequently asked questions

Does it verify the token's signature?

No. This tool decodes the header and payload for inspection only; it does not validate the signature or confirm the token is authentic.

Is my token sent to a server?

No. Decoding runs entirely in your browser, which is important because JWTs often contain live session or identity data.

What does it return?

The decoded header and payload as JSON, including standard claims like iss, sub, aud, exp, and iat where present.

Can it decode any JWT?

It decodes standard base64url-encoded JWTs with a header and payload. Encrypted JWE tokens, which hide their payload, aren't human-readable this way.

Why can't I see if the token is valid?

Validity depends on the secret or public key used to sign it, which this inspection tool doesn't have. Use your auth library for verification.

What input format does it take?

Paste the JWT as plain text — the three dot-separated base64url segments.

Keywords

  • jwt
  • token
  • decode
  • auth
  • bearer
  • payload
  • header
  • base64url

Try next

JWT Sign
inspect

Create and sign a JWT once you've inspected the structure you need
Base64
convert

Manually decode an individual base64url segment when debugging
JSON Formatter
inspect

Pretty-print the decoded payload for easier reading
CSV ↔ JSON
dev

Convert between CSV and JSON formats. Auto-detects direction from input.
Case Converter
dev

Convert text between uppercase, lowercase, title, camelCase, snake_case, kebab-case, PascalCase, and CONSTANT_CASE.
JSON ↔ YAML
dev

Convert between JSON and YAML formats. Auto-detects direction from input.
Number Base Converter
dev

Convert integers between decimal, binary, octal, and hexadecimal. Handles large numbers via BigInt.
SQL Formatter
dev

Beautify and format SQL queries with configurable keyword casing and indentation.
XML Formatter
dev

Beautify or minify XML documents. Uses Prettier for beautification.
Color Palette
inspect

Extract dominant colors from an image as hex codes.
Image Info
inspect

Extract dimensions, format, and metadata from an image.