JWT Decoder
Paste a JSON Web Token to read its header and payload in plain JSON. Decoded in your browser, so your token is never uploaded.
โ 100% Freeโ No Signupโ No Watermarkโ Unlimited Use
Decode a JSON Web Token in Seconds
A JWT (JSON Web Token) is a compact, signed token used to prove who a user is between a server and an app. It looks like three chunks of gibberish joined by dots, but the first two parts are just Base64-encoded JSON. This free JWT decoder reads them back into plain, readable JSON.
Paste a token and you instantly see its header (which algorithm signed it) and its payload (the claims, like the user ID and expiry). The tool also converts the expiry and issued-at times into readable dates. It all runs in your browser, so your token is never sent anywhere.
How to Use the JWT Decoder
- 1Copy the JWT you want to inspect.
- 2Paste it into the box above.
- 3Click Decode Token to read the header and payload.
Why Use MakeToolz's JWT Decoder?
Header and payload
Decodes both Base64 parts into clean, indented JSON you can actually read.
Human dates
Turns exp, iat, and nbf timestamps into readable UTC dates.
Fully private
Decoding happens in your browser. Your token, which is a credential, is never uploaded.
Clear errors
A malformed token gives a helpful message instead of a blank screen.
No account
Paste and decode, nothing to sign up for.
Free
No limits.
How a JWT Is Built
A JSON Web Token is three pieces joined by dots. The first piece is the header, the second is the payload, and the third is the signature. The header and payload are plain JSON that has been encoded with Base64url, a web-safe variation of Base64 that swaps a couple of characters and drops the padding so the token travels cleanly in a URL or header. Decoding simply reverses that encoding to reveal the original JSON.
The signature is different. It is created by running the header and payload through a signing algorithm with a secret or private key. Its job is to prove the token was not tampered with. Anyone can read the first two parts, because Base64url is not encryption, it is just an encoding. Only someone with the key can create or check a valid signature.
Decode Is Not the Same as Verify
This point matters for security, so it is worth stating plainly. Decoding a token shows you what is inside. Verifying a token proves it is genuine and unaltered. A decoder like this one reads the header and payload, but it does not check the signature, because that requires the key, which should never leave your server. Never trust the contents of a token in your app until your backend has verified the signature. Otherwise an attacker could hand-craft a payload that claims to be an admin.
The Three Parts of a Token
| Part | Holds | Encoded how |
|---|---|---|
| Header | Algorithm and token type, such as HS256 | Base64url JSON |
| Payload | Claims like sub, exp, iat, and custom data | Base64url JSON |
| Signature | Proof the token was not changed | Signed with a secret or key |
Understanding the Common Claims
The payload carries claims, which are the facts the token asserts. A few are standard and worth knowing. The sub claim identifies the subject, usually the user. The iat claim is the issued-at time, a Unix timestamp of when the token was made. The exp claim is the expiry time, after which the token should be rejected. The nbf claim, meaning not before, sets a time the token starts being valid. Timestamps are counted in seconds since January 1, 1970, which is why the tool turns them into readable dates for you.
Benefits, Limits, and Common Mistakes
The benefit of decoding is fast debugging. When a login fails or a session expires early, reading the payload shows the expiry and the user ID at a glance, so you can see whether the token itself is the problem. It runs locally, so you are not sending a live credential to a stranger's server.
- Do not treat a decoded payload as verified. Reading it is safe, but only a signature check proves it is real.
- Do not paste a real production token into tools you do not trust, since a token is a live credential like a password.
- Remember that expiry is in seconds, not milliseconds. Multiplying by 1000 is what turns it into a normal date.
- Tip: if a token fails to decode, check that you copied all three parts and both dots, since a cut-off token will not parse.
Because the parts are Base64url, you can also inspect one manually with the Base64 encoder and decoder, then tidy the JSON with the JSON formatter to read it clearly.
People Also Ask
Is a JWT encrypted?
No. A standard JWT is signed, not encrypted. The header and payload are only Base64url encoded, so anyone can read them. The signature proves the token was not changed, but it does not hide the contents.
Can I trust the data in a decoded JWT?
Not until it is verified. Decoding shows the contents, but your backend must check the signature with the key before trusting any claim inside.
What does the exp claim mean?
It is the expiry time, given as a Unix timestamp in seconds. After that moment the token should be rejected. The tool converts it into a readable date.
Why are there three parts in a JWT?
The header says how the token is signed, the payload holds the claims, and the signature proves the first two were not tampered with. Dots separate them.
What is Base64url and why is it used?
It is a web-safe form of Base64 that replaces a couple of characters and removes padding so the token is safe inside URLs and HTTP headers.
Should I put sensitive data in a JWT payload?
No. Because the payload is readable by anyone, never store passwords or secrets in it. Keep only claims that are safe to expose.
How do I verify a JWT signature?
On your server, recompute the signature using the algorithm in the header and your secret or public key, then compare it to the token's signature. This tool does not do that step.
Frequently Asked Questions
What is inside a JWT?
Does this tool verify the signature?
Is it safe to paste my token here?
Why does my token fail to decode?
Related Free Tools
More Developer Tools
YAML to JSON ConverterJSON to CSV ConverterMD5 Hash GeneratorSHA-256 GeneratorBorder Radius GeneratorUUID GeneratorUnix Timestamp Converter