A compact JWT (JSON Web Token) is a three-part string—header, payload, and signature—separated by dots. To decode it without writing code, paste the token into a browser-based JWT Decoder. The tool parses the Base64Url-encoded header and payload locally, displaying their JSON contents instantly. Because the signature is never verified in the browser, the decoded output is marked as unverified and should only be used for debugging or inspection. When trust matters, always validate the token in its owning application using the correct secret or public key.
Developers and security teams often need to inspect JWTs during API development, troubleshooting, or audits. Instead of installing libraries or writing scripts, a browser-based decoder provides immediate visibility. For example, you might receive a token from an OAuth flow and want to confirm its claims before using it in a frontend application. The JWT Decoder lets you paste the token, see the decoded header and payload, and verify the token’s structure—all without leaving your browser tab.

When to Use a JWT Decoder
Use a JWT Decoder when you need to inspect a token’s contents quickly, such as:
- Debugging authentication errors in API responses.
- Verifying the claims (e.g.,
exp,iss,sub) in a token stored in local storage or cookies. - Troubleshooting OAuth or OpenID Connect flows by checking the token’s header algorithms and payload data.
- Reviewing tokens during security audits or penetration testing.
The tool is not a substitute for proper token validation. Always validate the signature in your backend or trusted environment before acting on the token’s claims.
How JWT Decoding Works
A JWT consists of three Base64Url-encoded segments:
- Header: Contains the token type (
JWT) and the signing algorithm (e.g.,HS256,RS256). - Payload: Contains the claims—statements about the entity (e.g., user ID, expiration time) and additional metadata.
- Signature: A cryptographic signature generated by combining the header, payload, and a secret or private key.
To decode the token, the JWT Decoder splits the string at the dots, decodes the first two segments from Base64Url to JSON, and displays them. The signature is ignored because verifying it requires the original secret or public key, which is not available in the browser. This is why the tool labels the output as "unverified."
Decode a JWT in Your Browser
- Copy the compact JWT (e.g.,
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c). - Open the JWT Decoder in your browser.
- Paste the token into the input field.
- Click Decode JWT to see the decoded header and payload.
- Review the output, noting the "unverified" warning. The header and payload are displayed as formatted JSON for easy reading.
Example: Decoding a Sample JWT
Consider this example token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
When pasted into the JWT Decoder, the tool outputs:
| Segment | Decoded Content |
|---|---|
| Header | {
"alg": "HS256",
"typ": "JWT"
} |
| Payload | {
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
} |
The signature (SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c) is not decoded or verified. To confirm the token’s integrity, validate it in your application using the secret key corresponding to the HS256 algorithm.
Common Use Cases for JWT Decoding
Here are scenarios where decoding a JWT is helpful:
| Scenario | Why Decode? |
|---|---|
| API Debugging | Inspect tokens returned by authentication endpoints to verify claims like exp (expiration) or aud (audience). |
| Frontend Development | Check tokens stored in local storage or cookies to ensure they contain the expected user data. |
| Security Audits | Review tokens for sensitive data or misconfigured claims (e.g., overly permissive roles). |
| OAuth/OIDC Flows | Troubleshoot identity provider responses by confirming the token’s structure and claims. |
In all cases, remember that the decoded output is unverified. Treat it as a debugging aid, not a source of truth.
Alternatives to Browser-Based Decoding
If you prefer to decode JWTs programmatically, several libraries are available:
- JavaScript: Use jwt-decode (a lightweight library for decoding tokens in the browser).
- Python: Use the
PyJWTlibrary (jwt.decode(token, options={"verify_signature": False})). - Java: Use
java-jwtfrom Auth0 (JWT.decode(token)). - Go: Use the
github.com/golang-jwt/jwtpackage (token, _ := jwt.Parse(tokenString, nil)).
These libraries provide more control but require coding. For quick inspections, the JWT Decoder is faster and more convenient.
Security Considerations
When decoding JWTs, keep these security practices in mind:
- Never trust unverified tokens: The JWT Decoder does not validate signatures. Always verify tokens in your backend before using their claims.
- Avoid decoding sensitive tokens in shared environments: If you’re working with tokens containing PII or confidential data, decode them in a secure, private environment.
- Check for weak algorithms: If the header shows
alg: "none"or an insecure algorithm (e.g.,HS256with a weak secret), treat the token as untrustworthy. - Validate expiration and audience: Even if the token is verified, ensure the
exp(expiration) andaud(audience) claims are correct for your use case.
For more on JWT security, refer to the RFC 7519 specification.
Troubleshooting Decoding Errors
If the JWT Decoder fails to decode your token, check for these common issues:
- Malformed token: Ensure the token has exactly two dots (e.g.,
header.payload.signature). Extra or missing dots will cause errors. - Invalid Base64Url encoding: The header and payload must be valid Base64Url strings. If you manually edited the token, re-encode it correctly.
- Empty segments: A token like
header..signature(missing payload) is invalid. - Non-JWT input: The tool only works with JWTs. If you paste a different format (e.g., a session cookie), decoding will fail.
If you’re unsure about the token’s structure, use a JSON Validator to check the decoded segments for syntax errors.
Integrating JWT Decoding into Your Workflow
Here’s how to incorporate the JWT Decoder into your development process:
- During API Development: Use the tool to inspect tokens returned by your authentication endpoints. Verify that the claims match your expectations (e.g., correct user IDs, roles, and expiration times).
- In Frontend Debugging: When building a frontend app that stores tokens in local storage, decode the token to confirm its contents before using it in API calls.
- For Security Reviews: During code reviews or security audits, decode tokens to check for misconfigurations (e.g., missing
expclaims or overly permissive roles). - In CI/CD Pipelines: While the JWT Decoder is browser-based, you can automate token validation in your CI/CD pipeline using libraries like
PyJWTorjava-jwt.
For more on debugging APIs, read our guide on How to Format JSON for Readability and Debugging.