64 Base64Toolkit
Language:

JWT Decoder

Paste a JSON Web Token — header, payload and expiry are decoded instantly, entirely in your browser.

What is inside a JWT?

A JSON Web Token is three Base64URL-encoded segments joined by dots: header.payload.signature. The header declares the signing algorithm (alg) and token type; the payload carries the claims — standard ones like sub (subject), iss (issuer), exp (expiry) and iat (issued at), plus whatever custom claims your identity provider adds; the signature lets the receiving server verify the token was not tampered with.

Because the first two segments are just Base64URL (see our Base64URL tool), anyone can read a JWT — which is exactly what this tool does when you debug an Authorization: Bearer header from your logs, check why a token was rejected (expired? wrong audience? clock skew on nbf?), or inspect what claims your OAuth/OIDC provider actually issues. Never put secrets in JWT payloads, and never trust a decoded token without verifying its signature server-side.

Frequently Asked Questions

How do I decode a JWT token?

Paste the token above. A JWT is three Base64URL segments separated by dots — the header and payload are decoded to formatted JSON instantly, with exp/iat/nbf timestamps translated to human-readable dates and an expiry check.

Is it safe to paste a JWT here?

Decoding happens entirely in your browser — the token is never transmitted, logged or stored. That said, a live production token is a credential: prefer expired or test tokens when sharing screens.

Can this tool verify a JWT signature?

No — and be wary of online tools that ask for your signing secret. This tool decodes the header and payload (which requires no secret). Signature verification should happen server-side with your secret or public key, e.g. with the jsonwebtoken or jose library.

Why does my JWT fail to decode?

Check it has exactly three dot-separated segments and was copied fully (tokens are long and often truncated in logs). Bearer prefixes are stripped automatically here. If a segment contains + or /, it is standard Base64 rather than Base64URL — unusual for JWTs but this decoder handles both.

Related Tools