JWT Decode
Inspect JWT headers, payloads, and timelines
Safety note: Decoding does not verify signatures. Avoid pasting production tokens and use JWT Verify for validation. All decoding runs locally in your browser.
JWT decode
Expect header.payload.signature (JWS) or a 5-part JWE. Decoding updates as you type.
Decoded output will appear here.
JWT Decode Tool
Decode JSON Web Tokens (JWTs) into readable JSON. This tool helps you inspect headers, payload claims, and token timelines in seconds without sending data to a server.
How to Decode a JWT
- Paste your JWT into the input box.
- Review the header and payload JSON as the output updates.
- Check claim timestamps and the token status.
Example JWT
Sample token (not verified):
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvcmRhbiBMZWUiLCJpYXQiOjE3MDQwNjcyMDAsIm5iZiI6MTcwNDA2NzIwMCwiZXhwIjoxODkzNDU2MDAwLCJpc3MiOiJodHRwczovL2VuY3J5cHQtb25saW5lLmNvbSIsImF1ZCI6ImVuY3J5cHQtb25saW5lIn0.signatureJWT Header, Payload, Signature
A JWT has three parts: header, payload, and signature. The header declares the signing algorithm, the payload contains claims, and the signature proves integrity. JWE tokens have five parts because the payload is encrypted.
Do This Locally (CLI)
# Decode the JWT payload (no signature verification)
TOKEN="eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9..."
echo "$TOKEN" | cut -d '.' -f2 | tr '_-' '/+' | base64 -d
# macOS uses: base64 -DJWT Decode FAQ
Does decoding verify the signature?
No. Decoding only reads the header and payload.
Why is my payload empty?
JWE tokens are encrypted, so only the protected header and parts show.
Is this tool safe?
Yes. Everything runs locally in your browser.
EO
Developed by the Encrypt-Online Team, a group of dedicated web development and security experts committed to providing top-notch web tools. Learn more about our mission and values on our About Us page.