How to Decode a JWT (JSON Web Token)
A JSON Web Token looks like random text, but two of its three parts are just Base64url-encoded JSON you can read instantly. Here's how to decode one safely, without sending it anywhere.
Last updated: July 2026
A JWT has three Base64url-encoded parts separated by dots — header.payload.signature. To decode one, paste it into a JWT decoder: it Base64url-decodes the header and payload into readable JSON so you can inspect claims like exp (expiry), iat (issued-at) and iss (issuer). Decoding never needs the signing key; verifying the signature does.
Decode a JSON Web Token (JWT) to read its header and payload instantly. Free, private, in-browser — no token is uploaded.
Step by step
- Open the free JWT Decoder.
- Paste your token (the header.payload.signature string).
- Read the decoded header and payload JSON.
- Check claims like exp, iat and iss to understand the token.
What are the three parts of a JWT?
A JWT is header.payload.signature. The header names the signing algorithm (e.g. HS256), the payload carries the claims (data), and the signature proves the token wasn't altered. Only the signature needs a secret key — the header and payload are readable by anyone.
Is decoding a JWT the same as verifying it?
No. Decoding just reads the Base64url content and requires no key. Verifying checks the signature against the issuer's secret or public key to confirm authenticity. This tool decodes only, on purpose, so it's safe to paste sensitive tokens — nothing is uploaded.
FAQ
Is it safe to paste a token here?
Yes — decoding runs entirely in your browser and the token is never sent to a server. Still, avoid pasting live production tokens into any online tool as a general habit.
Why can anyone read the payload?
A JWT is signed, not encrypted, by default. The signature prevents tampering, but the payload is only Base64url-encoded — so never put secrets in it.
Related tools
Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text instantly. Free, private, in-browser — supports full Unicode (UTF-8).
JSON Formatter & Validator
Format, beautify, minify and validate JSON instantly. Free, private, in-browser JSON formatter with clear error messages.
Hash Generator (SHA-256)
Generate SHA-1, SHA-256, SHA-384 and SHA-512 hashes of any text using the secure Web Crypto API. Free, instant, in-browser.