JSON
JWT decoder
Try it
Inspect header and payload (Base64URL). Read-only — does not verify signatures.
Loading…
Guide
How to use this tool, examples, and related tips.
How to Use the JWT Decoder
Paste your JWT — the full xxxxx.yyyyy.zzzzz string — into the input field.
The tool splits the token into its three parts, Base64URL-decodes the header and payload, and displays them as formatted JSON.
Inspect the claims, expiry, issuer, and any other fields in the payload.
What Is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519, used to transmit claims between parties. A JWT consists of three Base64URL-encoded parts separated by dots: a header (specifying the algorithm), a payload (containing the claims), and a signature. The header and payload are plain JSON — only the signature is cryptographic. JWTs are widely used in authentication systems, OAuth 2.0 flows, and API authorization, typically passed as a Bearer token in the Authorization header.
When to Use This Tool
Debugging authentication flows — Inspect the claims in a JWT to verify the issuer, subject, expiry time, and custom claims without writing decode logic.
Checking token expiry — Decode the exp claim to confirm whether a token has expired or is still valid.
Understanding third-party tokens — Decode JWTs from OAuth providers, identity platforms, or APIs to understand their structure and claims.
Development and testing — Quickly inspect tokens during local development without needing a library or debugger.
Related Tools
- Base64 decoder
- JSON formatter & validator
- HMAC generator
- Base64 encode / decode
- JSON validator
FAQ
Answers about this tool and how your data is handled.
Does this tool verify the JWT signature?
No. This tool decodes the header and payload only — it does not verify the signature against a secret or public key. Never trust the claims in a JWT without signature verification in your application code.
Is it safe to paste a JWT into this tool?
The tool runs entirely in your browser — nothing is sent to a server. That said, treat production JWTs as sensitive credentials. Avoid pasting live tokens from production systems into any online tool when possible.
What is Base64URL encoding?
Base64URL is a variant of Base64 that replaces + with - and / with _, and omits padding, making it safe for use in URLs and HTTP headers. JWTs use Base64URL for the header and payload segments.
Can I use this to decode any Base64URL string?
This tool is specifically designed for the three-part JWT format. For general Base64 decoding, use the Base64 decoder.
What claims should I look for in a JWT payload?
Common registered claims include sub (subject), iss (issuer), exp (expiration time), iat (issued at), and aud (audience). Custom claims vary by application.
関連ツール
同じカテゴリを優先し、その他のユーティリティを表示します。
- JSON escapeEscape a string for embedding in JSON.JSON
- JSON formatter & validatorFormat, minify, and validate JSON — fix payloads before APIs or configs.JSON
- JSON minifierRemove whitespace from JSON — compact one-liner.JSON
- JSON unescapeUnescape JSON string escapes.JSON
- JSON validatorValidate JSON and show parse errors with position.JSON
- Case converterlower, UPPER, camelCase, PascalCase, snake_case, CONSTANT_CASE, Train-Case.テキスト