DevPik Logo

JWT Decoder

Decode JSON Web Tokens and view header and payload data.

How to Use JWT Decoder

  1. Paste your complete JWT token (the long string with two dots) into the input field.
  2. The tool automatically decodes and displays the Header (algorithm, type) and Payload (claims, expiration, issuer) in formatted JSON.
  3. Review the decoded information including token expiration time, issuer, subject, and custom claims.

About JWT Decoder

The JWT Decoder lets you inspect and debug JSON Web Tokens (JWTs) without sending them to any server. JWTs are the standard for authentication and information exchange in modern web applications, used by OAuth 2.0, OpenID Connect, and virtually every API that requires authentication. Our decoder splits the token into its three components — Header, Payload, and Signature — and displays each as formatted, readable JSON. The Header reveals the signing algorithm (HS256, RS256, etc.) and token type. The Payload shows all claims including standard ones like expiration (exp), issued-at (iat), issuer (iss), and audience (aud), plus any custom claims. This is invaluable for debugging authentication issues, verifying token contents during development, and understanding API security flows. Crucially, all decoding happens client-side — your tokens never leave your browser.

Frequently Asked Questions

Is it safe to decode JWTs in this tool?

Yes! JWT decoding happens entirely in your browser. Your tokens are never sent to any server. This is critical because JWTs often contain sensitive information like user IDs, roles, and permissions.

Does this tool verify the JWT signature?

This tool decodes and displays the token's contents but does not verify the cryptographic signature (which requires the secret key or public key). It's designed for inspection and debugging, not signature validation.

What are common JWT claims?

Standard claims include: exp (expiration time), iat (issued at), nbf (not before), iss (issuer), sub (subject/user ID), aud (audience), and jti (unique token ID). Applications also add custom claims like roles, permissions, and user metadata.

Why does my JWT have three parts separated by dots?

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm info), the Payload (claims/data), and the Signature (cryptographic verification). This structure allows the token to be self-contained and verifiable.

Related Tools

Base64 Encoder / Decoder

Encode text to Base64 format or decode from it.

JSON Formatter

Format, beautify, validate and convert JSON data with syntax highlighting, tree view, and auto-fix.

UUID / GUID Generator

Generate random UUIDs (Universally Unique Identifiers) instantly.

URL Encoder / Decoder

Safely encode URL components or decode URL-encoded strings.