JWT Decoder — Decode JSON Web Tokens

JWT (JSON Web Token) is an open standard (RFC 7519) for representing claims securely between parties. A JWT consists of three Base64URL-encoded parts separated by dots: the header, the payload, and the signature. This tool decodes the header and payload — the signature cannot be verified without the secret key.

What is a JWT and How Does This Decoder Work Online?

A JSON Web Token (JWT) is a compact, URL-safe method of representing claims between two parties, defined in RFC 7519. This decoder takes the raw JWT string you paste in and splits it into its three component parts — header, payload, and signature — formatting the JSON sections for easy reading. Everything runs in your browser; your token is never transmitted to any server.

The Three Parts of a JWT

A JWT is three Base64URL-encoded strings joined by dots: header.payload.signature.

Header — a JSON object declaring the token type (typ: "JWT") and the signing algorithm (e.g. alg: "HS256", "RS256", "ES256")
Payload — a JSON object containing claims: registered claims like sub (subject), iss (issuer), exp (expiry), iat (issued at), and custom application-defined claims
Signature — computed by signing the encoded header + "." + encoded payload using the secret key or private key. This tool decodes but cannot verify the signature without the key.

Important Security Notes When Working With JWTs

JWTs are encoded, not encrypted. Anyone who holds the token can read the header and payload — only the signature prevents tampering. Never store sensitive data (passwords, PII, credit card numbers) in a JWT payload.
Always check the expiry (exp). A token with a past expiry timestamp should be rejected by the server. This decoder shows the exp field so you can see if a token is still valid.
Never paste production tokens into untrusted online tools. Chunky Munster processes your token 100% client-side — it is never sent anywhere — but always be cautious.
The "alg: none" attack. Never accept JWTs signed with algorithm "none" on the server side. It means no signature verification is being done.

When Do Developers Use a JWT Decoder?

JWTs are used in virtually every modern authentication system — OAuth 2.0, OpenID Connect, and most API authentication schemes rely on them. Developers use a JWT decoder to inspect the claims inside an access token or ID token during debugging, to check token expiry, to verify the correct scopes were granted, or to diagnose authentication failures in development environments.

Frequently Asked Questions

Is it safe to paste my JWT here?

Yes — decoding happens entirely in your browser. Nothing is sent to any server. However, never share JWTs containing sensitive data on untrusted tools.

Can this verify a JWT signature?

No — signature verification requires the secret key or public key, which you should never share with third-party tools.

JWT Decoder online

Decode JWT tokens — header, payload and expiry — no data leaves your browser