JWT Decoder

Decode a JWT into its header and payload (no signature verification — that needs the signing key).

Signature is shown but not verified — verification requires the algorithm's signing key. Treat decoded payloads from untrusted tokens with care.

Monitor this automatically

NetTests can run this check on a schedule, preserve historical results, compare changes over time, and alert you the moment something breaks.

Start monitoring free → See all monitoring products

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe string used to transmit claims between parties. It has three Base64-encoded parts separated by dots: header.payload.signature. The header specifies the algorithm; the payload carries the claims (user ID, roles, expiry, etc.); the signature proves the token was issued by a trusted party.

Can this tool verify the signature?

No — signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/EC algorithms like RS256). This tool only decodes the Base64 parts to make the claims readable. Never trust the payload claims without verifying the signature in your application code.

What are the standard JWT claims?
  • sub — subject (usually the user ID).
  • iss — issuer (who created the token).
  • aud — audience (intended recipient).
  • exp — expiry time (Unix timestamp).
  • iat — issued-at time.
  • nbf — not-before time (token is invalid before this).
Is it safe to paste a real JWT here?

A JWT's payload is only Base64-encoded, not encrypted — anyone who can read the token can read its claims. However, you should still treat JWTs as secrets because a valid token grants access until it expires. When debugging, use a short-lived test token or redact the signature before pasting.