What are the three parts of a JWT?
header.payload.signature — each segment is Base64url-encoded JSON (header and payload) or a binary signature. Example header: {"alg":"HS256","typ":"JWT"}. Payload holds claims like sub and exp.
Paste a JWT to read header, payload, and timing claims—or encode HS256 tokens for local testing. Everything stays in your browser.
Paste a JWT or Bearer token to inspect claims and token timing.
A JWT decoder splits a JSON Web Token into header, payload, and signature segments and displays the claims—decode and inspect locally without sending the token to a server.
A JWT (JSON Web Token) is three Base64url-encoded parts separated by dots: header (algorithm and type), payload (claims such as sub, exp, iat), and signature. Decoding is not encryption—anyone with the token can read the payload.
This tool decodes and inspects tokens in your browser, highlights exp/iat timing, and can sign test tokens with HS256/HS384/HS512 for development. Always verify signatures on your server before trusting claims in production.
Decode for debugging; verify signatures server-side with the real secret or public key.
Concise answers for common searches — definitions, steps, and comparisons.
header.payload.signature — each segment is Base64url-encoded JSON (header and payload) or a binary signature. Example header: {"alg":"HS256","typ":"JWT"}. Payload holds claims like sub and exp.
For local browser tools that do not upload the token, dev tokens are usually fine. Never paste production tokens with live user data or admin roles into untrusted sites—this EverydayTools decoder runs entirely in your tab.
Paste the full header.payload.signature string or a Bearer token from an API response or DevTools.
Check alg in the header and claims in the payload—especially exp (expiration) and sub (subject).
The tool flags expired tokens, future nbf (not-before), and missing recommended claims.
Enter a dev-only HMAC secret to test signature match in Encode mode or trusted backend verification in production.
Common real-world scenarios where this tool saves time.
Inspect access tokens returned by OAuth or custom login endpoints without writing a script.
Confirm exp, aud, and iss values before wiring middleware in your API.
Use Encode mode with HS256 and sample claims to test protected routes locally.
Step-by-step chains that connect related tools for common tasks.
| Action | What it does | Safe to trust claims? |
|---|---|---|
| Decode only | Reads header and payload | No—anyone can decode |
| Verify HMAC (HS256/384/512) | Checks signature with shared secret | Yes, if secret is correct |
| Verify RSA (RS256) | Needs public key | Not in this browser tool—use server |
| alg | Type | Typical use |
|---|---|---|
| HS256 | HMAC + SHA-256 | Monoliths, dev tokens, internal APIs |
| RS256 | RSA signature | OAuth providers, public-key verify |
| ES256 | ECDSA | Modern identity platforms |
A JWT is three dot-separated Base64url sections: header, payload, and signature. To decode: split on '.', take the second section, add padding if needed, and Base64url-decode it to get the JSON payload. This tool does that automatically and displays the decoded header and payload in a readable format.
Yes for HMAC algorithms (HS256, HS384, HS512)—the server and client share the same secret key and the browser can recompute the signature using the Web Crypto API. Asymmetric algorithms (RS256, ES256, PS256) require the server's public key, which this tool does not currently support.
At minimum: exp (expiration, Unix timestamp) to prevent indefinite use, and sub (subject, usually the user ID) for identification. iss (issuer) and aud (audience) are recommended for multi-service architectures to prevent token reuse across services. iat (issued at) helps compute token age and detect replay.
For development and debugging JWTs, yes—this tool runs entirely in your browser and the token is not sent anywhere. Avoid pasting production JWTs that carry sensitive user data or elevated privileges into any online tool as a security hygiene practice.
Decoding reads the header and payload without checking the signature—any Base64url decoder can do it. Verification checks that the signature was produced by a trusted party holding the correct secret or private key. Always verify the signature server-side before trusting any claims in a JWT.
Paste a JWT or Bearer token and inspect header, payload, timing claims, and warnings instantly in your browser.
Yes. Use Encode mode with HS256/HS384/HS512 signing through browser Web Crypto.
No. Decode mode is inspection-only. Verification requires trusted backend key validation.
Yes. Processing is local in your browser and tokens are not uploaded.
JWT paste and decode run in your browser—tokens are not uploaded to EverydayTools servers.
Decoding follows RFC 7519 Base64url rules; HMAC signing uses Web Crypto consistent with common libraries.
For planning and development only. Production auth must verify tokens server-side with proper key management.
Part of Developer Tools
More free tools for the same workflow.
Compute MD5, SHA-1, SHA-256 and other digests from text locally. One-way hashing for checksums—not password storage.
Free Base64 encoder and decoder — encode any text or data to Base64 and decode Base64 strings back to readable text. Supports URL-safe Base64 variant. No signup needed.
Advertisement
Reviewed by EverydayTools Editorial Team on 2026-05-20.