Ad
DevToolXDevToolX

JWT Decoder

Decode JWT tokens to view Header and Payload

About JWT Decoder

A JSON Web Token is three Base64url-encoded segments — header, payload, signature — joined by dots. The header identifies the signing algorithm; the payload carries the claims (user identity, expiry, permissions); the signature proves the token was issued by a trusted party. This tool decodes the first two segments so you can inspect the contents. It does not verify the signature — do that in your application code with the actual secret or public key.

Common Use Cases

Inspect token contents during API debugging
Paste a token from a failed request to read its claims immediately without writing decoding code.
Check exp and iat timestamps
Confirm when a token was issued and when it expires by reading the decoded Unix timestamps, useful for diagnosing authentication failures.
Examine custom claims
Read application-specific claims such as roles, scopes, or tenant IDs to verify the authorization server included the expected data.
Compare frontend and backend token views
Decode the same token on each side to confirm both ends are reading the same claims and not using stale or different tokens.

Frequently Asked Questions

Does this tool verify the token signature?

No. This tool only decodes the header and payload segments — it does not validate the signature. A decoded token tells you what the claims say, not whether the token is trustworthy. Always verify the signature server-side using a library with your actual signing key before trusting any claim.

Should I paste production tokens into any online tool?

No. A JWT may encode sensitive user data or grant access to your services. Treat production tokens as secrets. For debugging, create a short-lived test token or redact the signature segment before sharing.

How do I interpret exp and iat?

Both are Unix timestamps — seconds elapsed since 1970-01-01T00:00:00Z. exp is the expiry time; iat is the issued-at time. Convert them to human-readable dates with a timestamp tool, or check Date.now()/1000 > exp in JavaScript to test expiry.

What is the alg:none attack?

Some early JWT libraries accepted a token whose header declared alg: none and then skipped signature verification entirely, trusting any payload the client sent. Modern libraries reject alg:none by default. The attack is a reminder that algorithm selection must be enforced server-side, not negotiated from the token header.

How is JWT different from a session cookie?

A session cookie stores only an opaque session ID; the server looks up the session data in a database. A JWT is self-contained — the claims are encoded in the token itself, so the server can verify and read them without a database round-trip. The trade-off is that JWTs cannot be invalidated before they expire unless you maintain a server-side blocklist.

Related Tools

Base64 Encoder/Decoder
Encode text to Base64 or decode Base64 to text
Base64 Image Converter
Convert between images and Base64 strings with format support
URL Encoder/Decoder
Encode or decode URL strings
JSON Formatter
Format, validate and beautify JSON data