JWT Decoder

Decode any JSON Web Token — header, payload, signature — in your browser.

  • No upload
  • Browser-based
  • Free
  • No signup
  • Text

Runs in your browser. Your text never leaves your device.

How to use JWT Decoder

  1. Paste your JWT into the input field. A JWT has three parts separated by dots: header.payload.signature.
  2. The decoded header, payload, and signature appear in three panels below.
  3. Click 'Load sample' to see how a JWT is structured with a realistic example.
  4. Timestamps (iat, exp, nbf) are shown human-readable next to the Payload heading, with EXPIRED status if applicable.

Common use cases

  • API debugging. Read what claims your auth provider (Auth0, Clerk, Supabase, Firebase) is putting in the JWT — user ID, roles, permissions, tenant.
  • Session troubleshooting. 'Why does my API return 401?' Decode the JWT and check the `exp` timestamp. Expired tokens are the #1 cause of unexpected auth failures.
  • Learning JWTs. See how the three sections encode information. The signature is not decoded because it's a raw byte hash, not text.
  • Security audits. Verify that no sensitive data (passwords, credit cards, PII beyond user IDs) is stored in JWT payloads — JWTs are base64-encoded, not encrypted.

Tips

  • JWTs are base64URL-encoded, not encrypted. Anyone with the token can read the payload. Never put secrets in the payload.
  • The signature IS security. Even though the payload is readable, it can't be modified without invalidating the signature.
  • This tool does NOT verify signatures. To verify, you need the signing key and a library like jose (JS) or PyJWT (Python).
  • Refresh tokens should be short-lived (5-15 min). Access tokens longer (1-24 hr). Very long-lived JWTs (>24hr) are a security anti-pattern.

Troubleshooting

'Not a valid JWT' error.
JWTs must have exactly two dots. If you copied from headers, remove any 'Bearer ' prefix. Also check for trailing whitespace.
Turkish characters render as ????.
The payload might not be UTF-8 encoded correctly. If your JWT provider uses a non-standard encoding, contact them — standard-compliant JWTs must use UTF-8.

What to try next

Frequently asked questions

Is my JWT sent anywhere?
No. JWTs often contain sensitive claims — that's exactly why this tool runs entirely in your browser. Nothing leaves your device.
Does it verify the signature?
No. Verification needs the signing key (secret for HS256, public key for RS256). This tool decodes only — safer, and the common use case is debugging payload contents.
Are the timestamps human-readable?
Yes — `iat`, `exp`, and `nbf` are shown both as raw epoch and as a local date/time.
Which algorithms are supported?
All algorithms — decoding is format-only. Signature is shown as base64 but not verified.