Pro — remove ads
advertisement
// JWT → header + payload

JWT decoder

Paste a JSON Web Token to see what's actually inside it — the header and payload, decoded and pretty-printed.

advertisement

What decoding a JWT does and doesn't tell you

A JWT's header and payload are just Base64URL-encoded JSON — anyone can decode and read them, no secret required, which is exactly what this tool does. What it can't do is verify the signature: that needs the issuer's secret or public key, which is deliberately not something you'd paste into a random website.

Does this verify the token is valid or unexpired?

No — it only decodes the readable parts. Verifying the signature and checking expiry ("exp") happens on the server that issued the token, using a secret this tool never sees.

Is a JWT supposed to be readable like this?

Yes — the header and payload are only encoded, not encrypted. Never put secrets or sensitive data directly in a JWT payload; that's what the signature is for (proving it wasn't tampered with), not for hiding its contents.

Is my token sent anywhere?

No — decoding runs entirely in your browser with plain JavaScript. Nothing is uploaded.

Convertburda — universal conversions
advertisement