Decode and inspect any JSON Web Token instantly. Runs entirely in your browser — your token never leaves your device. Optionally verify the signature with your own secret.
Header
Paste a token above to decode it.
Payload
Paste a token above to decode it.
A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519, commonly used for authentication and authorization between services. A JWT consists of three base64url-encoded parts separated by dots: a header (algorithm and token type), a payload (the claims), and a signature that verifies the token hasn't been tampered with.
Anyone can decode a JWT's header and payload — they are only base64url-encoded, not encrypted. This tool decodes those parts locally in your browser and, if you provide the signing secret, verifies the signature for HMAC-based tokens (HS256/HS384/HS512).
Need to generate a JWT instead?
Build and sign a new token with a custom payload and secret.