JWT Decoder

Paste a JSON Web Token to instantly decode its header and payload. Runs entirely in your browser - the token never leaves your device, so it's safe to paste.

Header
Payload
-

What is this?

A free JWT decoder that reads the header and payload of a JSON Web Token. A JWT is three base64url-encoded parts (header.payload.signature) joined by dots - the header and payload are not encrypted, just encoded, so anyone can read them. This tool decodes them locally in your browser; nothing is sent anywhere.

It does not verify the signature (that needs the signing secret or public key, a server-side step). The takeaway: never put secrets in a JWT payload - it's readable by anyone holding the token.

Frequently asked questions

Is this JWT decoder safe?

Yes - decoding happens entirely in your browser in JavaScript. The token is never sent to a server.

Does it verify the signature?

No - it decodes the header and payload (base64url, not encrypted). Verifying the signature requires the secret/public key, which is done server-side.

Is it free?

Yes - free, no signup, no install. It runs entirely in your browser.

Building auth? Practice JWT for real.

On HeyDevJob you add JWT login, fix a token-bypass bug, and rotate a leaked signing key in a real cloud workspace - free, and every fix lands on your portfolio.

Start free →