Orlixio

Free browser tool

JWT Decoder

The JWT decoder reads a JSON Web Token and decodes its header and payload sections into formatted JSON. It is useful for inspecting claims, algorithms, token issuer values, expiration timestamps, scopes, and other payload fields while debugging authentication flows.

This tool only decodes the token. It does not verify the signature, validate trust, check revocation, or prove that the JWT is safe to accept. Treat decoded data as untrusted unless your application verifies the token with the correct secret or public key.

JWT decoder

Decode JWT header and payload. This tool does not verify signatures.

This tool only decodes the header and payload. It does not verify the JWT signature or prove that the token should be trusted.

What this tool does

A JSON Web Token, or JWT, is a compact token format made of three dot-separated parts: header, payload, and signature. The header and payload are Base64URL-encoded JSON. A decoder turns those encoded sections back into readable JSON so you can inspect claims, algorithms, key identifiers, issuer values, audiences, scopes, and expiration timestamps.

Decoding is not the same as verification. Anyone can decode the header and payload of a JWT because those sections are not encrypted by default. Verification requires checking the signature with the correct secret or public key and confirming claims such as issuer, audience, expiration, and intended use. This page intentionally decodes only; it does not prove that a token is valid or trustworthy.

JWT decoding is still very useful during development. It helps you understand what an identity provider sent, why an API rejected a request, whether a token includes the expected scopes, and whether timestamps or custom claims look correct. Treat decoded data as untrusted until your application verifies it.

Common use cases

Inspect authentication claims

Read subject, issuer, audience, expiration, roles, scopes, and custom claims during auth debugging.

Check header metadata

Look at algorithm, token type, or key identifier fields before troubleshooting verification failures.

Debug API authorization

Compare the claims your API expects with the claims actually present in the token payload.

Review token timestamps

Decode issued-at and expiration claims to understand whether a token is expired or not yet valid.

Example before and after

The decoder reads the Base64URL payload and formats it as JSON. The signature section is not verified.

JWT input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIn0.signature

Decoded payload

{
  "sub": "123",
  "name": "Ada"
}

How to use

  1. Paste a JWT with three dot-separated parts.
  2. Click Decode JWT.
  3. Review the decoded header and payload JSON.

Common errors

Trusting decoded claims

Decoded claims are readable, but they are not trustworthy unless the signature and claims are verified.

Using the wrong token type

Opaque access tokens do not decode like JWTs. A JWT should have three dot-separated sections.

Confusing Base64URL and encryption

JWT header and payload are usually encoded, not encrypted. Anyone with the token can read them.

Ignoring expiration

A readable token can still be expired. Check exp, nbf, iat, audience, and issuer in your backend.

Why use this tool

Inspect token claims during development.

Read JWT header algorithms and key identifiers.

Debug auth payloads without sending tokens to a backend.

Best practices

Never rely on decoding alone

Use decoding for inspection, then verify signatures and claims in your application.

Avoid sharing live tokens

Tokens may contain sensitive claims or grant access. Use redacted examples when possible.

Check the algorithm carefully

The header algorithm helps explain what verification method your backend should use.

Treat payload data as user-controlled

Until verification succeeds, decoded payload fields should be considered untrusted input.

Related JSON tools

JSON FormatterJSON ValidatorJSON MinifierJSON to CSVCSV to JSONJSON DiffJSON to XMLYAML to JSONJWT Decoder

Related guides

What is JWT and how to decode it

JWTs are common in authentication. Learn what the three sections mean and why decoding is not verification.

Best practices for working with API responses

API responses are easier to debug when you validate syntax, format payloads, inspect errors, and compare changes deliberately.

Common JSON syntax errors

Trailing commas, bad quotes, comments, unclosed brackets, and undefined values are the JSON mistakes developers hit most often.

FAQ

Does this verify JWT signatures?

No. It only decodes the header and payload. It does not verify signatures.

Can decoded JWT data be trusted?

Not by itself. JWT data must be verified by your application before trust.

What parts are decoded?

The tool decodes the header and payload JSON sections.

Is the JWT uploaded?

The tool runs in your browser and does not require login, a database, or server-side processing.