Developer Tools

JWT Decoder

Decode a JWT to read its header and payload — instantly and privately.

Updated June 2026

0 characters · 0 lines

How to use the JWT Decoder

  1. 1

    Paste your JWT

    Drop the full token (header.payload.signature) into the box.

  2. 2

    Read the decoded claims

    The header and payload appear instantly as formatted JSON below.

  3. 3

    Copy the result

    Hit Copy result to grab the decoded output. Nothing is uploaded or saved.

About this tool

A JWT (JSON Web Token) is a compact, URL-safe token used to carry claims between two parties, most often for authentication and authorization. Every JWT has three Base64url-encoded parts separated by dots: a header that names the signing algorithm, a payload that holds the claims (such as the subject, issued-at time, and expiry), and a signature. This JWT decoder splits the token and shows you the decoded header and payload as readable, pretty-printed JSON.

Decoding a JWT is not the same as verifying it. The first two segments are only Base64url-encoded, not encrypted, so anyone can read them — that is exactly what this tool does. It deliberately does not check the signature, which means you do not need to paste any secret or key. Because all of the work happens locally in your browser with JavaScript, your token never leaves your device and is never logged or stored. That makes it safe to inspect real production tokens while you debug.

Developers reach for a JWT decoder constantly: confirming which claims an auth provider actually issued, checking the `exp` and `iat` timestamps when a session expires unexpectedly, or reading the `alg` in the header during a security review. Paste the full `header.payload.signature` string and the decoded claims appear immediately. If the token is malformed or the segments are not valid Base64url JSON, the tool shows a clear error instead of returning garbage.

Examples

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFkYSBMb3ZlbGFjZSIsImlhdCI6MTcwMDAwMDAwMH0.signature

Output

{ "header": { "alg": "HS256", "typ": "JWT" }, "payload": { "sub": "1234567890", "name": "Ada Lovelace", "iat": 1700000000 } }

Decode: the header and payload are revealed as formatted JSON. The signature is left unverified.

Input

not-a-real.token

Output

Not a valid JWT (expected header.payload.signature)

A token without three valid segments returns a clear error.

Common uses

  • Checking which claims an identity provider actually issued in an access token
  • Reading the exp and iat timestamps to debug why a session expired early
  • Inspecting the alg field in the header during a security review
  • Confirming the sub, scope, or role claims while building authorization logic
  • Quickly reading a token from a request header without writing throwaway decode code
  • Verifying that a refreshed token contains the expected updated claims

Frequently asked questions

Is this JWT decoder free?+

Yes. It is completely free with no sign-up, no limits, and no watermarks.

Is my token uploaded or stored anywhere?+

No. Decoding happens entirely in your browser using JavaScript. Your token never leaves your device, which makes it safe to inspect real, production tokens.

Does this verify the JWT signature?+

No. This tool decodes only — it reads the header and payload but does not verify the signature. That is why it never asks for a secret or key. Use your server or auth library to verify a token's authenticity.

What's the difference between decoding and verifying a JWT?+

Decoding just Base64url-decodes the header and payload, which are not encrypted, so anyone can read them. Verifying re-computes the signature with the signing key to confirm the token is authentic and untampered. This tool only decodes.

Why does my JWT fail to decode?+

A JWT must have exactly three dot-separated parts, and the header and payload must be valid Base64url-encoded JSON. If a segment is missing, truncated, or not valid JSON, the tool reports an error instead of returning garbage.

Base64 Encode / Decode

Encode text to Base64 or decode Base64 back to text — instantly and privately.

Embed this tool

Free to use on your own site — it stays fast and private for your visitors.

Paste this where you want the tool to appear:

<iframe src="https://hypercho.com/embed/jwt-decoder" title="JWT Decoder by Hypercho" width="100%" height="560" style="border:1px solid #d8cec3;border-radius:16px;max-width:720px" loading="lazy"></iframe>
<p style="font:13px sans-serif"><a href="https://hypercho.com/tools/jwt-decoder" target="_blank" rel="noopener">JWT Decoder</a> by <a href="https://hypercho.com" target="_blank" rel="noopener">Hypercho</a></p>
← Browse all tools