JWT Decoder

Decode JSON Web Tokens for debugging—header and payload only; ideal for auth troubleshooting.

When to use this tool

Debugging why an auth request is failing silently in staging.
Inspecting `exp`, `iss`, and `aud` claims during SSO integration.
Teaching — showing what a JWT looks like in base64url form.

How it works

Paste the full JWT (three dot-separated base64url segments).
Read the decoded header and payload.
Check `exp` is in the future and `aud`/`iss` match your expectations.
Remember the signature is not verified by the decoder.

Privacy: This tool runs entirely in your browser. Your input is not sent to our servers.

Security note: This tool decodes the header and payload only. It does not verify signatures or trust chains—never paste production secrets into untrusted sites.

JWT string

Header

—

Payload

—

Frequently asked questions

Does it verify the signature?

No. Signature verification requires the signing key or public JWKS. Use your auth provider's SDK for that.

Is it safe to paste a production token here?

The decode runs locally in your browser and nothing is uploaded. Still, never paste long-lived production tokens anywhere you cannot audit.

Why does my token show invalid JSON in the payload?

Some JWTs use base64url (not base64). The decoder handles both, but if your token was copied with trailing whitespace or cut off, decoding will fail.