🦁 IP Animals
🔢 Converters & Encoders

JWT Decoder

Paste a JSON Web Token to read its header and payload. Everything is decoded locally in your browser — the signature is not verified and nothing is ever uploaded.

Decoded on your device with atob + TextDecoder. The token is never sent anywhere.

A JSON Web Token (JWT) is a compact, URL‑safe credential used all over modern authentication — API access tokens, single sign‑on, session identifiers. It packs three Base64URL‑encoded parts, separated by dots: a header naming the signing algorithm, a payload of claims (like the subject sub, issued‑at iat and expiry exp), and a signature that lets the issuer prove the token wasn't tampered with. This decoder splits the token, Base64URL‑decodes the first two parts (handling the - and _ alphabet and missing padding), decodes them as UTF‑8, and pretty‑prints the JSON.

⚠️ It decodes, it does not verify

This tool intentionally does not check the signature — that needs the secret or public key. A decoded payload only tells you what a token claims; never trust it for an authorisation decision without verifying the signature on your server. And remember a standard JWT is encoded, not encrypted, so anyone with the token can read its payload.

Everything runs locally. Your token is decoded in the browser with native atob and TextDecoder — there are no network requests, no logging and no storage. That's important because a JWT is frequently a live credential; pasting one into a server‑side online decoder could hand your session to a third party. Here it stays on your machine.

JWTs almost always travel inside an Authorization: Bearer HTTP header over an encrypted connection — see our guide on what TLS/SSL is to understand the transport security that protects them. To inspect the raw JSON claims after decoding, the JSON Formatter pairs nicely with this tool, and if a token's iat or exp is a Unix timestamp, drop it into the Unix Timestamp Converter to read the date.

Frequently asked questions

Does this tool verify the JWT signature?

No. It only decodes the header and payload so you can read the claims. It deliberately does not verify the signature, because that requires the secret or public key. Never trust a decoded token's contents for security decisions without verifying the signature on your server.

Is my token sent to a server?

No. Decoding happens entirely in your browser using JavaScript and the Web APIs atob and TextDecoder. Your token is never uploaded, logged or stored, which matters because JWTs often act as live credentials.

What are the three parts of a JWT?

A JWT has three Base64URL‑encoded sections separated by dots: the header (which algorithm and token type), the payload (the claims, such as sub, iat and exp) and the signature (which verifies the first two parts have not been tampered with).

Can anyone read the payload of a JWT?

Yes. A standard JWT is only Base64URL‑encoded, not encrypted, so anyone holding the token can read the payload. For that reason you should never put secrets or sensitive personal data in a JWT payload.

Want the theory? Read the guides → · Visit the zoo →