Toolerax logoToolerax

JWT Decoder

Decode JWT header & payload instantly.

100% private — runs in your browser, nothing is uploaded.

Note: this decoder does not verify the signature — it only reads the token contents. Never trust an unverified JWT for authorisation.

How to use the JWT Decoder

  1. 1
    Paste your JWT

    Paste the full token in the header.payload.signature format.

  2. 2
    Read the header and payload

    Both parts are decoded and shown as readable JSON, along with the expiry status.

  3. 3
    Remember it is not verified

    This decoder only reads the token — it does not verify the signature, so never trust it for authorisation.

Free online JWT decoder

This JWT decoder reads a JSON Web Token and shows its header and payload in readable JSON. JWTs are widely used for authentication and API access, and decoding them is essential when debugging login flows and token claims.

What you can see

  • Header — the signing algorithm and token type.
  • Payload — the claims such as user id, roles, issued-at and expiry.
  • Expiry — whether the token is still valid, based on its exp.

Everything runs locally in your browser for full privacy.

Frequently Asked Questions

What does this JWT decoder do?

It splits a JSON Web Token into its three parts and decodes the header and payload from Base64Url so you can read the claims (like sub, exp and iat) in plain JSON.

Does it verify the signature?

No. This tool only decodes and displays the token contents. It does not verify the signature, so never rely on an unverified token for security decisions.

Is my token sent anywhere?

No. Decoding happens entirely in your browser, so your token — which may be sensitive — never leaves your device.

What are the three parts of a JWT?

A JWT has a header (the algorithm and type), a payload (the claims/data) and a signature (used to verify it). They are Base64Url-encoded and joined with dots.

How do I know if a JWT is expired?

Check the exp claim in the payload — it is a Unix timestamp. This decoder shows the expiry date and whether the token has already expired.

From the blogWhat Is a JWT (JSON Web Token)?How JSON Web Tokens work: the three parts, why a JWT is signed but not encrypted, the alg:none attack, revocation problems, and when not to use one.Read the full guide

Related tools