Decode a JSON Web Token header and payload locally. Read claims safely, but remember decoding does not verify the signature.
Related
JSON, JWT, and Base64 tools that process every byte locally in your browser tab — no upload endpoint, no server-side logs of pasted payloads.
Base64 is reversible encoding, not encryption. Decode it in one step, handle Unicode correctly, and read JWT sections that use Base64url.
A quick validation pass before sending an API request can separate JSON syntax problems from authentication, schema, and backend errors.
A JWT is three Base64url-encoded sections joined by dots: header.payload.signature. Paste a token and click Decode to read the header and payload as JSON. Everything runs in your browser — the token is never sent to a server, which matters because a JWT often contains identity and session claims.
Whether you search for decode jsonwebtoken (one word), jwt decode, or json web token decoder, this is the same workflow: split on dots, Base64url-decode the first two sections, and render the result as JSON.
Anyone can decode a JWT — no key is required, because the payload is only encoded, not encrypted. Decoding tells you what a token claims; it does not prove the token is authentic. Always verify the signature against your secret or public key on the server before trusting any claim, and never put passwords or secrets in a JWT payload.
iss issuer · sub subject · aud audienceexp expiry · iat issued-at · nbf not-before (Unix timestamps)For more depth, see How to Decode a JWT and why Base64 is not encryption. To inspect a single section manually, use the Base64 decoder.
No. Decoding shows what the token claims, but it does not prove the token is authentic. Always verify the signature against your secret or public key on the server before trusting any claim, and never store secrets in a JWT payload.