JWT Decoder
Decode and inspect JSON Web Tokens instantly in your browser. View the header, payload, and expiry of any JWT without sending it to a server
CODE TEXT
Tip: paste any JWT on the left — decoded header and payload update instantly. The signature is displayed but not verified.
Runs 100% Locally in Your Browser
This tool processes your data entirely on your device. Nothing is uploaded, stored, or sent to any server.
No Uploads
Privacy First
Secure by Default
Related Tools
List to Comma Separated Paste a list (one item per line) and convert it into a single string with your chosen separator
JSON Beautifier Paste your minified or messy JSON and get clean, properly indented output for easier reading, debugging, and development
JSON Minify Convert formatted or messy JSON into inline JSON instantly. Minify JSON by removing unnecessary whitespace and generate a compact single-line string
CSS Minifier Paste your CSS and get a compact, minified version instantly. Remove comments, whitespace, and redundant characters to reduce file size and improve page load performance
Frequently Asked Questions
What is a JSON Web Token (JWT)?
A JWT is a compact, URL-safe token made of three Base64-encoded parts — header, payload, and signature — used for authentication and information exchange.
How to decode a JWT without knowing the secret key?
Paste the token into the input — the header and payload are Base64-encoded and can be decoded without the secret; only signature verification requires it.
What information is stored in a JWT payload?
The payload contains claims such as the subject (user ID), issuer, expiry time (exp), and any custom application-defined fields.
Does decoding a JWT verify its signature?
No. Decoding only reads the contents; verification requires the secret or public key used to sign the token.
What is the difference between the JWT header, payload, and signature?
The header specifies the algorithm; the payload contains the claims; the signature ensures the token hasn't been tampered with.
How do I check if a JWT has expired?
Look for the 'exp' claim in the decoded payload — it is a Unix timestamp and the tool highlights it for you.
Is my JWT sent to a server when decoding?
No. Decoding runs entirely in your browser — your token is never transmitted anywhere.