Skip to content
Calixo

JWT Decoder

Decode a JWT's header and payload — entirely in your browser, without verifying its signature.

Inputs

Saved Scenarios

— select 2+ to compare

Payload

{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }

Header

{ "alg": "HS256", "typ": "JWT" }

Spark says

Formula

JWT=base64url(Header)+"."+base64url(Payload)+"."+SignatureJWT = base64url(Header) + "." + base64url(Payload) + "." + Signature
Signature
— Not decoded here — verifying it requires the issuer's secret/key

What is the JWT Decoder?

A JWT (JSON Web Token) has three base64url-encoded parts separated by dots: a header, a payload, and a signature. The header and payload are just encoded, not encrypted — anyone can decode and read them, which is exactly what this tool does, entirely in your browser.

How to use it

  1. 1 Paste a JWT token into the field.
  2. 2 Its decoded header and payload appear below.

Worked examples

Limitations

  • This tool only decodes — it does NOT verify the signature, so it cannot tell you whether a token is genuine, unexpired in a trust sense, or has been tampered with. Signature verification requires the issuer's secret or public key and should happen server-side.

Frequently asked questions

Is it safe to paste a real JWT here?

Decoding happens entirely client-side in your browser and the token is never sent to any server — but as good practice, avoid pasting tokens tied to sensitive production sessions into any third-party tool, this one included.

Why can't this tool tell me if the token is valid?

Validity requires checking the cryptographic signature against a secret or public key that only the issuing server (or a service you trust with it) should have — a client-side decoder has no way to verify that.