Decode and inspect JWT (JSON Web Tokens). View header, payload and signature. No verification - client-side only.
The JWT Decoder splits any JSON Web Token into its three parts - header, payload and signature - and displays them as formatted JSON. Standard claims such as expiry (exp), issuer (iss) and subject (sub) are explained in a human-readable table, and expired tokens are flagged automatically. All decoding happens entirely in your browser; the token is never sent to any server.
A JSON Web Token is made up of three Base64URL-encoded segments separated by dots: the header, the payload, and the signature. The decoder splits the token on those dots, applies atob() with URL-safe character substitution to each segment, then parses the resulting JSON. The signature segment is displayed as-is since verifying it requires the secret key or public certificate - decoding it alone does not prove authenticity.
All decoding happens entirely in your browser - the token string is never transmitted to any server, stored in a database, or logged. That said, a JWT can contain sensitive identity claims such as user IDs, email addresses, or scopes, so as a general security practice you should avoid pasting production tokens into any third-party tool unless you fully control it. For sensitive environments, consider using a locally hosted or offline decoder instead.
No - signature verification is intentionally out of scope because it requires access to the secret (for HMAC algorithms like HS256) or the public key (for asymmetric algorithms like RS256 and ES256). Decoding only reads the header and payload claims, which are visible to anyone who holds the token string. If you need to verify a JWT's authenticity, use your server's SDK or a dedicated verification library such as jsonwebtoken for Node.js or python-jose for Python.
The decoder supports any standard three-part JWT regardless of the signing algorithm declared in the header (HS256, HS384, HS512, RS256, RS384, RS512, ES256, PS256, etc.) because decoding only parses the Base64URL-encoded segments and does not attempt cryptographic verification. Both access tokens and ID tokens issued by OAuth 2.0 / OpenID Connect providers such as Auth0, Firebase, AWS Cognito, and Okta can be decoded without any configuration.
jwt.io is the canonical reference tool and offers signature verification for a wide range of algorithms directly in the browser. This decoder focuses on a faster, cleaner inspection experience: it automatically explains standard claims in plain English, flags expired tokens visually, and requires no interaction beyond pasting the token. It is not intended to replace jwt.io for signature verification workflows, but is ideal for the common day-to-day task of quickly reading what a token contains during API development and debugging.