JWT Decoder
Decode any JSON Web Token — header, payload, signature — in your browser.
- No upload
- Browser-based
- Free
- No signup
- Text
Header
Payload
Signature (not verified)
Runs in your browser. Your text never leaves your device.
How to use JWT Decoder
- Paste your JWT into the input field. A JWT has three parts separated by dots: header.payload.signature.
- The decoded header, payload, and signature appear in three panels below.
- Click 'Load sample' to see how a JWT is structured with a realistic example.
- Timestamps (iat, exp, nbf) are shown human-readable next to the Payload heading, with EXPIRED status if applicable.
Common use cases
- API debugging. Read what claims your auth provider (Auth0, Clerk, Supabase, Firebase) is putting in the JWT — user ID, roles, permissions, tenant.
- Session troubleshooting. 'Why does my API return 401?' Decode the JWT and check the `exp` timestamp. Expired tokens are the #1 cause of unexpected auth failures.
- Learning JWTs. See how the three sections encode information. The signature is not decoded because it's a raw byte hash, not text.
- Security audits. Verify that no sensitive data (passwords, credit cards, PII beyond user IDs) is stored in JWT payloads — JWTs are base64-encoded, not encrypted.
Tips
- JWTs are base64URL-encoded, not encrypted. Anyone with the token can read the payload. Never put secrets in the payload.
- The signature IS security. Even though the payload is readable, it can't be modified without invalidating the signature.
- This tool does NOT verify signatures. To verify, you need the signing key and a library like jose (JS) or PyJWT (Python).
- Refresh tokens should be short-lived (5-15 min). Access tokens longer (1-24 hr). Very long-lived JWTs (>24hr) are a security anti-pattern.
Troubleshooting
- 'Not a valid JWT' error.
- JWTs must have exactly two dots. If you copied from headers, remove any 'Bearer ' prefix. Also check for trailing whitespace.
- Turkish characters render as ????.
- The payload might not be UTF-8 encoded correctly. If your JWT provider uses a non-standard encoding, contact them — standard-compliant JWTs must use UTF-8.
What to try next
Frequently asked questions
- Is my JWT sent anywhere?
- No. JWTs often contain sensitive claims — that's exactly why this tool runs entirely in your browser. Nothing leaves your device.
- Does it verify the signature?
- No. Verification needs the signing key (secret for HS256, public key for RS256). This tool decodes only — safer, and the common use case is debugging payload contents.
- Are the timestamps human-readable?
- Yes — `iat`, `exp`, and `nbf` are shown both as raw epoch and as a local date/time.
- Which algorithms are supported?
- All algorithms — decoding is format-only. Signature is shown as base64 but not verified.