How do I decode a JWT token online?

Paste your JWT into the input field. The tool Base64URL-decodes the header and payload and displays the JSON instantly. No upload required.

What is the JWT header?

The header contains the token type (typ: JWT) and the signing algorithm (alg: HS256, RS256…). It is Base64URL-encoded and forms the first part of the token.

What is the JWT payload?

The payload holds the claims: user information (sub, email, name) and time metadata (exp, iat, nbf). It is the second part of the token and readable without a key.

Is it safe to decode a JWT online?

With a local tool: yes. This decoder runs entirely in your browser — no token is ever transmitted. Avoid pasting production tokens with sensitive data on tools that send data to a server.

Flowfiles ← JWT Decoder

JWT Decoder Online

Decode JWT Token — Header · Payload · Claims · Expiration — free, no upload

Paste your JWT token to decode it instantly. The tool extracts the header, payload and displays all claims in a readable format: issuer, subject, issued-at, expiration, roles… Everything runs in your browser.

Ready to decode your JWT token?

Open the JWT Decoder →

How to decode a JWT

A JWT (JSON Web Token) consists of three Base64URL-encoded segments separated by dots. Decoding means Base64URL-decoding the first two segments to get the header and payload JSON. The signature (third part) cannot be "decoded" — it must be verified.

This online JWT decoder does exactly that: it splits the token, decodes the header and payload, and displays all claims with their descriptions. No data is sent to any server.

Frequently asked questions

How do I decode a JWT token?

Paste your JWT into the input field above. The tool splits on dots, Base64URL-decodes the header and payload, and parses the JSON. Results appear instantly with syntax highlighting.

Can I decode a JWT without knowing the secret?

Yes. Decoding the header and payload requires no key — they are only Base64URL-encoded. A key is only needed to verify the signature and confirm the token is authentic.

What is the 'sub' claim in a JWT?

The sub (Subject) claim identifies the principal entity of the token — typically the user's unique identifier. It is one of the registered claims defined in RFC 7519.

Why is the payload readable without a key?

The JWT payload is encoded (Base64URL), not encrypted. Anyone can read it. JWT security relies on the signature: if someone modifies the payload, signature verification will fail.

Related tools

Full JWT Decoder Verify JWT Signature JWT Expiration JWT OAuth 2.0 JWT No Upload Base64 Encoder