JWT Decoder
Paste a JSON Web Token to instantly decode its header and payload. Runs entirely in your browser - the token never leaves your device, so it's safe to paste.
-
-
What is this?
A free JWT decoder that reads the header and payload of a JSON Web Token. A JWT is three base64url-encoded parts (header.payload.signature) joined by dots - the header and payload are not encrypted, just encoded, so anyone can read them. This tool decodes them locally in your browser; nothing is sent anywhere.
It does not verify the signature (that needs the signing secret or public key, a server-side step). The takeaway: never put secrets in a JWT payload - it's readable by anyone holding the token.
Frequently asked questions
Is this JWT decoder safe?
Yes - decoding happens entirely in your browser in JavaScript. The token is never sent to a server.
Does it verify the signature?
No - it decodes the header and payload (base64url, not encrypted). Verifying the signature requires the secret/public key, which is done server-side.
Is it free?
Yes - free, no signup, no install. It runs entirely in your browser.
Building auth? Practice JWT for real.
On HeyDevJob you add JWT login, fix a token-bypass bug, and rotate a leaked signing key in a real cloud workspace - free, and every fix lands on your portfolio.
Start free →