JWT Decode
Inspect token structure before you decide what to verify
header.payload.signature for JWS or five parts for JWE. Decoding updates as you type. Decode JSON Web Tokens (JWTs) into readable JSON. This tool highlights risky headers, claim timing, and token structure so you can inspect first and verify second.
- Paste the token into the input box.
- Review the header and payload JSON, then scan the warnings for high-signal issues.
- Copy the exact token or send it directly into JWT Verify when you need trust, not just readability.
Sample token (decoded, not trusted):
eyJhbGciOiJIUzI1NiIsImtpZCI6ImRlbW8ta2V5IiwidHlwIjoiSldUIn0.eyJzdWIiOiIxMjM0NTY3ODkwIiwic2NvcGUiOiJyZWFkOmFsbCIsImlhdCI6MTcwNDA2NzIwMCwibmJmIjoxNzA0MDY3MjAwLCJleHAiOjE4OTM0NTYwMDAsImlzcyI6Imh0dHBzOi8vZW5jcnlwdC1vbmxpbmUuY29tIiwiYXVkIjoiZW5jcnlwdC1vbmxpbmUifQ.SSkPrr1oastMqBIPoXt5CDn-VpqXPyTtZo_CfKRlppwA standard JWS has three parts: header, payload, and signature. A JWE has five parts because the payload is encrypted. This decode page can inspect JWS headers and payloads, and it can inspect the protected header of a JWE, but it cannot decrypt JWE claims on its own.
# Decode the JWT payload locally (no signature verification)
node -e "const token=process.env.TOKEN; const payload=token.split('.')[1]; const base64=payload.replace(/-/g,'+').replace(/_/g,'/'); const padded=base64.padEnd(Math.ceil(base64.length / 4) * 4, '='); console.log(Buffer.from(padded, 'base64').toString('utf8'));"
# This repairs Base64URL padding and keeps UTF-8 payload text readable.Does decoding verify the signature?
No. Decode only reads the token structure and claims. Verification is a separate trust step.
Why is my payload empty?
Five-part JWEs encrypt the payload. This tool can show the protected header and raw parts, but not decrypted claims.
Why do I see an alg:none warning?
A token declaring alg: none has no signature to trust. Treat it as unverified input unless your workflow explicitly expects unsigned tokens.