Herramientas JSON
JWT decoder
Try it
Inspect header and payload (Base64URL). Read-only — does not verify signatures.
Loading…
Guide
How to use this tool, examples, and related tips.
How to Use the JWT Decoder
Paste your JWT — the full xxxxx.yyyyy.zzzzz string — into the input field.
The tool splits the token into its three parts, Base64URL-decodes the header and payload, and displays them as formatted JSON.
Inspect the claims, expiry, issuer, and any other fields in the payload.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519, used to transmit claims between parties. A JWT consists of three Base64URL-encoded parts separated by dots: a header (specifying the algorithm), a payload (containing the claims), and a signature. The header and payload are plain JSON — only the signature is cryptographic. JWTs are widely used in authentication systems, OAuth 2.0 flows, and API authorization, typically passed as a Bearer token in the Authorization header.
When to Use This Tool
Debugging authentication flows — Inspect the claims in a JWT to verify the issuer, subject, expiry time, and custom claims without writing decode logic.
Checking token expiry — Decode the exp claim to confirm whether a token has expired or is still valid.
Understanding third-party tokens — Decode JWTs from OAuth providers, identity platforms, or APIs to understand their structure and claims.
Development and testing — Quickly inspect tokens during local development without needing a library or debugger.
Related Tools
- Base64 decoder
- JSON formatter & validator
- HMAC generator
- Base64 encode / decode
- JSON validator
FAQ
Answers about this tool and how your data is handled.
Does this tool verify the JWT signature?
No. This tool decodes the header and payload only — it does not verify the signature against a secret or public key. Never trust the claims in a JWT without signature verification in your application code.
Is it safe to paste a JWT into this tool?
The tool runs entirely in your browser — nothing is sent to a server. That said, treat production JWTs as sensitive credentials. Avoid pasting live tokens from production systems into any online tool when possible.
What is Base64URL encoding?
Base64URL is a variant of Base64 that replaces + with - and / with _, and omits padding, making it safe for use in URLs and HTTP headers. JWTs use Base64URL for the header and payload segments.
Can I use this to decode any Base64URL string?
This tool is specifically designed for the three-part JWT format. For general Base64 decoding, use the Base64 decoder.
What claims should I look for in a JWT payload?
Common registered claims include sub (subject), iss (issuer), exp (expiration time), iat (issued at), and aud (audience). Custom claims vary by application.
Herramientas relacionadas
Primero la misma categoría, luego otras utilidades.
- JSON escapeEscape a string for embedding in JSON.Herramientas JSON
- JSON formatter & validatorFormat, minify, and validate JSON — fix payloads before APIs or configs.Herramientas JSON
- JSON minifierRemove whitespace from JSON — compact one-liner.Herramientas JSON
- JSON unescapeUnescape JSON string escapes.Herramientas JSON
- JSON validatorValidate JSON and show parse errors with position.Herramientas JSON
- Case converterlower, UPPER, camelCase, PascalCase, snake_case, CONSTANT_CASE, Train-Case.Herramientas de texto