JWT Decoder
Decode a JWT header and payload to readable JSON. Runs in your browser, no token leaves your device.
Independently verified for accuracy
Calculator by Toolsloft ↗The signature is not verified. Verifying needs the signing secret or public key.
Decode a JSON Web Token to read its header and payload. Paste a token and the tool shows the claims as formatted JSON, so you can check the algorithm, subject, expiry, and other fields. It does not verify the signature, which needs your secret or public key.
How this is calculated
The token is split on dots. The header and payload segments are base64url-decoded to UTF-8 and parsed as JSON, then re-serialized with two-space indentation. Invalid base64url or JSON is rejected. Per RFC 7519, the signature is not checked here because verification requires the signing key.
How to use
- Paste the JWT you want to inspect.
- Read the decoded header and payload as formatted JSON.
- Check claims like exp, iat, and sub. The signature is not verified.
Examples
- Header:
alg and typ, e.g. HS256 and JWT - Payload:
claims like sub, name, and iat (issued-at time)
FAQ
- Does this verify the signature?
- No. Verifying a JWT signature requires the secret (HMAC) or public key (RSA/ECDSA). This tool only decodes the header and payload so you can read the claims.
- Is my token sent anywhere?
- No. Decoding happens in your browser. The token you paste never leaves your device.
- Why does a token fail to decode?
- The header and payload must be valid base64url-encoded JSON. A token that is truncated, altered, or not a JWT is rejected.