JWT Decoder
Decode a JWT's header and payload — entirely in your browser, without verifying its signature.
Inputs
Saved Scenarios
— select 2+ to compare| Metric | |
|---|---|
Payload
{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }
Header
{ "alg": "HS256", "typ": "JWT" }
Spark says
Formula
- Signature
- — Not decoded here — verifying it requires the issuer's secret/key
What is the JWT Decoder?
A JWT (JSON Web Token) has three base64url-encoded parts separated by dots: a header, a payload, and a signature. The header and payload are just encoded, not encrypted — anyone can decode and read them, which is exactly what this tool does, entirely in your browser.
How to use it
- 1 Paste a JWT token into the field.
- 2 Its decoded header and payload appear below.
Worked examples
Limitations
- •This tool only decodes — it does NOT verify the signature, so it cannot tell you whether a token is genuine, unexpired in a trust sense, or has been tampered with. Signature verification requires the issuer's secret or public key and should happen server-side.
Frequently asked questions
Is it safe to paste a real JWT here?
Decoding happens entirely client-side in your browser and the token is never sent to any server — but as good practice, avoid pasting tokens tied to sensitive production sessions into any third-party tool, this one included.
Why can't this tool tell me if the token is valid?
Validity requires checking the cryptographic signature against a secret or public key that only the issuing server (or a service you trust with it) should have — a client-side decoder has no way to verify that.