Mr.AndroidShin / Dev Tools

Dev · Auth

JWT Decoder

Paste a JSON Web Token to read its header and payload. Decoding runs entirely in your browser.

This tool decodes a token — it does not verify the signature (that needs your secret). Decoding is not decryption: anyone can read a JWT payload. Don't paste production tokens you wouldn't want visible on your screen.
Ad slot — insert your AdSense unit here

What a JWT contains

A JSON Web Token has three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON — readable by anyone. The signature is what proves the token wasn't tampered with, and verifying it requires the signing key. This tool shows you the first two parts and leaves the signature untouched.

Common payload claims

FAQ

Is my token sent anywhere?

No. The token is decoded locally in your browser and never leaves the page.

Why isn't the signature verified?

Verification requires the secret or public key that signed the token, which only your backend should hold. This tool intentionally stays a decoder.

Can I read an encrypted JWT (JWE)?

No. Standard JWTs are signed, not encrypted, so their payload is readable. A JWE is encrypted and cannot be read without the key.

Ad slot — insert your AdSense unit here