Auth Tool

JWT Decoder & Debugger

Decode JWT header and payload locally in your browser.

JWT Decoder

Decoded locally in your browser. Nothing is sent to a server.

JWT token

Header

Payload

Signature

Overview

Inspect token claims fast during auth debugging, especially when checking issuer, audience, expiration, and subject values.

What is a JWT Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) used to securely transmit information between parties as a JSON object. JWTs are commonly used for API authentication and authorization. A JWT consists of three parts separated by dots: the header, the payload, and the signature. The header typically specifies the token type (JWT) and the signing algorithm used, such as HS256 or RS256. The payload contains claims — statements about the user or entity, including standard claims like sub (subject), iss (issuer), exp (expiration time), and aud (audience). The signature verifies that the token was not tampered with and was issued by a trusted party.

How to decode a JWT online

Decoding a JWT is straightforward: paste your token into the input field above and the decoder instantly splits and base64url-decodes the header and payload sections. The header reveals the signing algorithm and token type. The payload exposes all claims, including the expiration time (exp), subject (sub), issued-at time (iat), and any custom claims your API includes. Note that decoding a JWT only reveals its contents — it does not verify the signature. Use this tool during development and debugging to quickly inspect token contents without needing a server-side library or local code.

JWT Header, Payload & Signature explained

Every JWT has three base64url-encoded parts joined by dots. The header contains token metadata, typically specifying the signing algorithm (alg) and token type (typ: 'JWT'). The payload is where claims live — this includes registered claims like exp (expiration), iat (issued at), nbf (not before), and any application-specific data your backend adds. The signature is computed by encoding the header and payload together and signing them with a secret or private key. The signature ensures integrity: if any part of the token is modified, signature verification will fail. JWT payloads are encoded but not encrypted, so never store sensitive data such as passwords in a JWT payload.

Examples

Decode standard auth token

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkpvaG4ifQ.signature

Output

{"sub":"1234","name":"John"}

Invalid token format

Input

abc.def

Output

Error: expected 3 dot-separated token parts.

Use cases

Debug token-based API authentication flows.
Inspect exp, iss, aud, and sub claims quickly.
Verify token structure before backend validation.

FAQ

Does this tool verify signatures?

No. It decodes token content only. Signature verification requires the secret or public key and should be done server-side.

Is token data sent to your server?

No. Decoding runs entirely in your browser. Your token never leaves your machine.

Why do I get an invalid token error?

The token must contain exactly three base64url-encoded parts separated by dots: header, payload, and signature.

Can I copy decoded payloads?

Yes. Header and payload sections can be copied directly from the output.

Learn guide

Read the JWT Decoder guide →