JWT Decoder & Encoder - Free Online JSON Web Token Tool

Paste your JWT token:

Secret Key (for verification):

🔴 HEADER

{ "alg": "HS256", "typ": "JWT" }

🟣 PAYLOAD

{ "sub": "1234567890", "name": "John Doe" }

🟢 SIGNATURE

HMACSHA256(base64UrlEncode(header) + "." + base64UrlEncode(payload), secret)

Algorithm:

Secret Key:

Payload (JSON):

Generated JWT:

💰Free Forever

🔓No Registration

🔒Privacy First

📴Works Offline

🎯 JWT Decoder Use Cases

🔍

Debug Authentication Issues

Inspect JWT tokens to troubleshoot login problems, check expiration times, and verify claims in your auth flow.

👨‍💻

API Development

Decode tokens from OAuth providers, verify payload structure, and test JWT-based API authentication.

🔐

Security Auditing

Check what data is exposed in JWTs, verify proper algorithm usage (avoid 'none'), and audit token claims.

📚

Learning JWT Structure

Understand how JWTs work by decoding real tokens and seeing the header, payload, and signature components.

⚡

Quick Token Inspection

Instantly decode tokens without setting up libraries or writing code. Perfect for quick debugging sessions.

Frequently Asked Questions

What is a JWT (JSON Web Token)?

A JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: Header, Payload, and Signature, separated by dots.

How do I decode a JWT?

Simply paste your JWT token in the input field above. The decoder will automatically parse and display the header, payload, and signature information in a readable JSON format.

Is my JWT data secure?

Yes! All decoding happens entirely in your browser. Your JWT tokens never leave your device - no data is sent to any server.

What algorithms are supported?

For encoding, we support HS256, HS384, and HS512 (HMAC algorithms). For decoding, we can parse any JWT regardless of the algorithm used.

How do I verify a JWT signature?

Enter your secret key in the verification field. For HMAC algorithms (HS256/384/512), we'll verify the signature matches. For RSA/ECDSA, you'll need the public key.

What is the JWT header?

The header typically contains the token type ("JWT") and the signing algorithm (e.g., "HS256"). It's Base64URL encoded.

What is the JWT payload?

The payload contains claims - statements about the user and metadata. Common claims include sub (subject), exp (expiration), iat (issued at), and custom data.

Are JWTs encrypted?

Standard JWTs (JWS) are signed but NOT encrypted. Anyone can decode the payload. Never put sensitive data like passwords in a JWT. Use JWE for encrypted tokens.

What does "exp" mean in a JWT?

"exp" is the expiration time as a Unix timestamp. After this time, the token should be rejected. Our decoder shows this as a human-readable date.

Can I use this tool offline?

Yes! Once loaded, this tool works completely offline. All JWT encoding and decoding happens in your browser with JavaScript.

Can JWT be decoded without a secret key?

Yes! The header and payload of a JWT are simply Base64URL encoded, not encrypted. Anyone can decode them without the secret key. The secret is only needed to verify the signature, not to read the contents. This is why you should never put sensitive data in a JWT payload.

Is decoding a JWT safe?

Decoding a JWT is completely safe. Our tool processes everything locally in your browser - no data is sent to any server. However, be cautious about where you paste tokens: avoid sharing production tokens in public forums or untrusted websites.

What does JWT decode return?

JWT decode returns three parts: the header (algorithm and token type), the payload (claims like user ID, expiration, custom data), and the signature (used for verification). Each part is decoded from Base64URL to readable JSON.

How does JWT Base64 decoding work?

JWTs use Base64URL encoding (a URL-safe variant of Base64). To decode: split the token by dots, take the first two parts (header and payload), and decode each using Base64URL. The third part is the signature which requires the secret key to verify.

Is JWT decoding expensive or slow?

No! JWT decoding is extremely fast - it's just Base64 decoding and JSON parsing, both of which are instant operations. Even on slow devices, decoding happens in microseconds. Verification (checking the signature) is slightly slower but still very fast.

Can anyone decode my JWT token?

Yes, anyone with your JWT can decode and read its contents. JWTs are designed for integrity (proving the data wasn't tampered with), not confidentiality. The signature ensures the token is authentic, but the payload is readable by anyone. Never put passwords, credit cards, or secrets in a JWT.

JWT Decode Code Examples

Learn how to decode JWT tokens in different programming languages. All examples decode the payload without verification.

JavaScript / Node.js

// Decode JWT payload in JavaScript (no library needed)
function decodeJWT(token) {
    const payload = token.split('.')[1];
    const decoded = atob(payload.replace(/-/g, '+').replace(/_/g, '/'));
    return JSON.parse(decoded);
}

// Usage
const token = 'eyJhbGciOiJIUzI1NiIs...';
const payload = decodeJWT(token);
console.log(payload);

// Or use the jwt-decode npm package
// npm install jwt-decode
import { jwtDecode } from 'jwt-decode';
const decoded = jwtDecode(token);

Python

# Decode JWT payload in Python (no library needed)
import base64
import json

def decode_jwt(token):
    payload = token.split('.')[1]
    # Add padding if needed
    payload += '=' * (4 - len(payload) % 4)
    decoded = base64.urlsafe_b64decode(payload)
    return json.loads(decoded)

# Usage
token = 'eyJhbGciOiJIUzI1NiIs...'
payload = decode_jwt(token)
print(payload)

# Or use PyJWT library
# pip install pyjwt
import jwt
decoded = jwt.decode(token, options={"verify_signature": False})

Java

// Decode JWT payload in Java
import java.util.Base64;

public class JWTDecoder {
    public static String decodePayload(String token) {
        String[] parts = token.split("\\.");
        byte[] decoded = Base64.getUrlDecoder().decode(parts[1]);
        return new String(decoded);
    }
    
    public static void main(String[] args) {
        String token = "eyJhbGciOiJIUzI1NiIs...";
        String payload = decodePayload(token);
        System.out.println(payload);
    }
}

// Or use java-jwt library (auth0)
// com.auth0:java-jwt:4.4.0
DecodedJWT jwt = JWT.decode(token);

PHP

// Decode JWT payload in PHP (no library needed)
function decodeJWT($token) {
    $parts = explode('.', $token);
    $payload = base64_decode(strtr($parts[1], '-_', '+/'));
    return json_decode($payload, true);
}

// Usage
$token = 'eyJhbGciOiJIUzI1NiIs...';
$payload = decodeJWT($token);
print_r($payload);

// Or use firebase/php-jwt
// composer require firebase/php-jwt
use Firebase\JWT\JWT;
$decoded = JWT::decode($token, new Key($key, 'HS256'));

Go (Golang)

// Decode JWT payload in Go
package main

import (
    "encoding/base64"
    "encoding/json"
    "strings"
)

func decodeJWT(token string) (map[string]interface{}, error) {
    parts := strings.Split(token, ".")
    payload, err := base64.RawURLEncoding.DecodeString(parts[1])
    if err != nil {
        return nil, err
    }
    var claims map[string]interface{}
    json.Unmarshal(payload, &claims)
    return claims, nil
}

// Or use github.com/golang-jwt/jwt/v5

Bash / Command Line

# Decode JWT payload in Bash (Linux/Mac)
decode_jwt() {
    echo "$1" | cut -d'.' -f2 | base64 -d 2>/dev/null | jq .
}

# Usage
TOKEN="eyJhbGciOiJIUzI1NiIs..."
decode_jwt "$TOKEN"

# One-liner
echo "YOUR_JWT_HERE" | cut -d'.' -f2 | base64 -d | jq .