Paste any JSON Web Token to see its header, claims, and signature decoded inline. We highlight expiration, "not before", and the algorithm — everything runs in your browser.
Decoding only reveals what is inside the token. It does not verify the signature, check expiration, or confirm the issuer. Never trust a decoded JWT as proof of authentication — use a vetted JWT library for signature verification.
A JWT is a compact, URL-safe token used for stateless authentication and information exchange. It has three parts: a header describing the algorithm, a payload containing claims (like user ID and expiration), and a signature for tamper detection. Each part is Base64URL-encoded and joined with dots.
No. Decoding only reveals what is inside the token — the header and claims are readable by anyone. Verifying a JWT requires the signing key (a secret for HMAC, a public key for RSA or ECDSA) and confirms that the token has not been tampered with. Our tool only decodes; it does not verify. Never trust the contents of a JWT as proof of authentication without verifying the signature.
No, this tool only handles signed JWTs (JWS). Encrypted JWTs (JWE) require the decryption key. If your token has five segments separated by dots instead of three, it is a JWE and cannot be decoded without the key.
It means the token is unsigned. Historically this was a major security vulnerability — attackers could forge tokens by setting alg to "none". Reputable libraries reject unsigned tokens by default. Our decoder displays a warning when it encounters one.
No. Decoding happens entirely in your browser using JavaScript. Nothing is uploaded, stored, or logged. You can verify this with your browser DevTools — the Network tab stays silent during decode.