JWT Decoder

Paste a JSON Web Token to read its header and payload in plain JSON. Decoded in your browser, so your token is never uploaded.

โœ” 100% Freeโœ” No Signupโœ” No Watermarkโœ” Unlimited Use

Updated 2026-07-05 ยท Built and maintained by the MakeToolz team.

Decode a JSON Web Token in Seconds

A JWT (JSON Web Token) is a compact, signed token used to prove who a user is between a server and an app. It looks like three chunks of gibberish joined by dots, but the first two parts are just Base64-encoded JSON. This free JWT decoder reads them back into plain, readable JSON.

Paste a token and you instantly see its header (which algorithm signed it) and its payload (the claims, like the user ID and expiry). The tool also converts the expiry and issued-at times into readable dates. It all runs in your browser, so your token is never sent anywhere.

How to Use the JWT Decoder

  1. 1
    Copy the JWT you want to inspect.
  2. 2
    Paste it into the box above.
  3. 3
    Click Decode Token to read the header and payload.

Why Use MakeToolz's JWT Decoder?

Header and payload

Decodes both Base64 parts into clean, indented JSON you can actually read.

Human dates

Turns exp, iat, and nbf timestamps into readable UTC dates.

Fully private

Decoding happens in your browser. Your token, which is a credential, is never uploaded.

Clear errors

A malformed token gives a helpful message instead of a blank screen.

No account

Paste and decode, nothing to sign up for.

Free

No limits.

How a JWT Is Built

A JSON Web Token is three pieces joined by dots. The first piece is the header, the second is the payload, and the third is the signature. The header and payload are plain JSON that has been encoded with Base64url, a web-safe variation of Base64 that swaps a couple of characters and drops the padding so the token travels cleanly in a URL or header. Decoding simply reverses that encoding to reveal the original JSON.

The signature is different. It is created by running the header and payload through a signing algorithm with a secret or private key. Its job is to prove the token was not tampered with. Anyone can read the first two parts, because Base64url is not encryption, it is just an encoding. Only someone with the key can create or check a valid signature.

Decode Is Not the Same as Verify

This point matters for security, so it is worth stating plainly. Decoding a token shows you what is inside. Verifying a token proves it is genuine and unaltered. A decoder like this one reads the header and payload, but it does not check the signature, because that requires the key, which should never leave your server. Never trust the contents of a token in your app until your backend has verified the signature. Otherwise an attacker could hand-craft a payload that claims to be an admin.

The Three Parts of a Token

PartHoldsEncoded how
HeaderAlgorithm and token type, such as HS256Base64url JSON
PayloadClaims like sub, exp, iat, and custom dataBase64url JSON
SignatureProof the token was not changedSigned with a secret or key

Understanding the Common Claims

The payload carries claims, which are the facts the token asserts. A few are standard and worth knowing. The sub claim identifies the subject, usually the user. The iat claim is the issued-at time, a Unix timestamp of when the token was made. The exp claim is the expiry time, after which the token should be rejected. The nbf claim, meaning not before, sets a time the token starts being valid. Timestamps are counted in seconds since January 1, 1970, which is why the tool turns them into readable dates for you.

Benefits, Limits, and Common Mistakes

The benefit of decoding is fast debugging. When a login fails or a session expires early, reading the payload shows the expiry and the user ID at a glance, so you can see whether the token itself is the problem. It runs locally, so you are not sending a live credential to a stranger's server.

  • Do not treat a decoded payload as verified. Reading it is safe, but only a signature check proves it is real.
  • Do not paste a real production token into tools you do not trust, since a token is a live credential like a password.
  • Remember that expiry is in seconds, not milliseconds. Multiplying by 1000 is what turns it into a normal date.
  • Tip: if a token fails to decode, check that you copied all three parts and both dots, since a cut-off token will not parse.

Because the parts are Base64url, you can also inspect one manually with the Base64 encoder and decoder, then tidy the JSON with the JSON formatter to read it clearly.

People Also Ask

Is a JWT encrypted?

No. A standard JWT is signed, not encrypted. The header and payload are only Base64url encoded, so anyone can read them. The signature proves the token was not changed, but it does not hide the contents.

Can I trust the data in a decoded JWT?

Not until it is verified. Decoding shows the contents, but your backend must check the signature with the key before trusting any claim inside.

What does the exp claim mean?

It is the expiry time, given as a Unix timestamp in seconds. After that moment the token should be rejected. The tool converts it into a readable date.

Why are there three parts in a JWT?

The header says how the token is signed, the payload holds the claims, and the signature proves the first two were not tampered with. Dots separate them.

What is Base64url and why is it used?

It is a web-safe form of Base64 that replaces a couple of characters and removes padding so the token is safe inside URLs and HTTP headers.

Should I put sensitive data in a JWT payload?

No. Because the payload is readable by anyone, never store passwords or secrets in it. Keep only claims that are safe to expose.

How do I verify a JWT signature?

On your server, recompute the signature using the algorithm in the header and your secret or public key, then compare it to the token's signature. This tool does not do that step.

Frequently Asked Questions

What is inside a JWT?
Three parts joined by dots: a header saying how it is signed, a payload holding claims like the user ID and expiry, and a signature. The header and payload are Base64-encoded JSON, which this tool decodes.
Does this tool verify the signature?
No. It only decodes the token so you can read it. Verifying the signature needs the secret or public key, which should stay on your server. Never trust a token's contents without verifying it in your backend.
Is it safe to paste my token here?
The decoding runs entirely in your browser and nothing is uploaded, so it is safe. Still, treat any real token as a password and avoid pasting production credentials into tools you do not control.
Why does my token fail to decode?
Make sure you copied the whole token, including both dots. If a part was cut off or altered, the Base64 will not parse. A valid JWT has three sections.

Related Free Tools

More Developer Tools

Browse all text & utility tools โ†’