JWT Decoder
Paste a JWT token to decode and inspect the header, payload, and signature. Expiry date is highlighted.
How to Use This Tool
- Paste the source string or data into the Jwt Decoder input box above.
- The Jwt Decoder processes the input instantly and shows the result in the output box below.
- Copy the encoded or decoded result with one click, or switch direction to reverse the operation.
Common Use Cases
- API debugging: Frontend developers decode JWTs from Authorization headers to inspect the sub, exp, and scope claims when troubleshooting 401 errors.
- Security review: Pentesters check for the "none" algorithm vulnerability and look for sensitive data leaking in unencrypted payloads.
- OAuth flow inspection: Verify that an id_token from Google, Auth0, or Okta carries the expected aud and iss claims for your application.
Frequently Asked Questions
Is decoding a JWT the same as verifying it?
No. Decoding splits the token on dots and Base64URL-decodes the header and payload, which anyone can do. Verification requires checking the signature against the issuer's public key (or shared secret). This decoder does not verify signatures; treat decoded payloads as untrusted.
What's in a JWT's three parts?
A JWT is header.payload.signature, each Base64URL-encoded and joined by dots. Header declares the algorithm (HS256, RS256, ES256). Payload holds claims (sub, exp, iat, custom data). Signature is HMAC or RSA of the header.payload using a key.
Why should I never use the "none" algorithm?
The "none" algorithm means no signature. Some older libraries accept "alg":"none" tokens as valid if the application doesn't enforce a whitelist. Attackers can forge any payload. Always validate that alg matches an expected value (e.g., RS256) before trusting a token.