Free Developer Tool — 100% Client-Side

JWT Decoder

Decode and inspect JWT tokens — view header, payload, and signature information instantly.

JWT Token

What Is JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. A JWT is digitally signed, meaning it can be verified and trusted. Our free JWT decoder online lets you inspect the contents of any JWT token without sending it to a server.

Structure of a JWT

A JWT consists of three parts separated by dots: header.payload.signature

Header

Contains the token type and signing algorithm (e.g., HS256, RS256).

Payload

Contains the claims — statements about an entity and additional data. Standard claims include sub, iat, exp.

Signature

Verifies the token hasn't been tampered with. Created by signing the encoded header and payload with a secret key.

What Is Base64Url Encoding?

JWT uses Base64Url encoding, which is a URL-safe variant of Base64. Unlike standard Base64, it uses - instead of + and _ instead of /, and omits padding = characters. This JWT payload decoder automatically handles this encoding when decoding tokens.

Common JWT Use Cases

Authentication — Users receive a JWT after logging in, which they send with each request to verify their identity.
API Authorization — Backend services use JWTs to authorize access to protected API endpoints.
SaaS Sessions — SaaS platforms use JWTs to maintain session state across distributed microservices.
Single Sign-On — SSO protocols like OpenID Connect use JWTs to transmit identity information.
Password Reset — Time-limited JWTs encode password reset tokens with expiration claims.

Is JWT Secure?

JWT tokens are signed, not encrypted. The header and payload are Base64Url-encoded, not encrypted — anyone with the token can decode and read them. Never put sensitive data in a JWT payload. The signature ensures the token hasn't been modified, but it does not protect the contents from being viewed. Our JWT token decoder shows exactly what data is visible in any JWT.

JWT Token Example

Encoded JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header

{"alg":"HS256","typ":"JWT"}

Decoded Payload

{"sub":"1234567890","name":"John Doe","iat":1516239022}

How to Do This in Code

function decodeJWT(token) {
  const parts = token.split('.');
  const header = JSON.parse(atob(parts[0]));
  const payload = JSON.parse(atob(parts[1]));
  return { header, payload, signature: parts[2] };
}

import base64, json
def decode_jwt(token):
  parts = token.split('.')
  header = json.loads(base64.b64decode(parts[0] + '=='))
  payload = json.loads(base64.b64decode(parts[1] + '=='))
  return header, payload

cut -d. -f1 <<< "$token" | base64 -d 2>/dev/null | jq .
cut -d. -f2 <<< "$token" | base64 -d 2>/dev/null | jq .

Popular Developer Tools

JSON Formatter

Format, validate, and beautify JSON data

Base64 Encoder

Encode and decode Base64 instantly

JWT Decoder

Decode and inspect JWT tokens

Regex Tester

Test regular expressions in real-time

Hash Generator

Generate MD5, SHA-1, SHA-256 hashes

Deploy Your Next Project Fast

Get $200 free credit on DigitalOcean to deploy your apps with blazing-fast infrastructure.

Try DigitalOcean

Related Tools

Base64 Encoder / Decoder

Encode or decode text and files to and from Base64 format instantly.

JSON Formatter

Format, validate, and beautify your JSON data with syntax highlighting and error detection.

UUID Generator

Generate UUID v4 identifiers for databases, APIs, and distributed systems.

JWT Decoder FAQ

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format used for authentication. It consists of a header, payload, and signature, each Base64-encoded.

Can I see the signature?

Yes, the signature is Base64-decoded and displayed. However, JWTs are signed, not encrypted — the signature verifies integrity, not confidentiality.