JWT Decoder

Decode, verify, and debug JSON Web Tokens (JWT) securely on the client side.

Encoded Token

Label

Paste a JWT to decode it. No data is sent to any server.

Header

Algorithm & Token Type

{}

Payload

Data & Claims

{}

Signature

Verification

Signature verification requires a secret key.

Embed this tool on your site

Free · No account or API key required · 100% client-side

Free

JWT Decoder

A JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

Structure of a JWT

A JWT typically consists of three parts separated by dots (.):

Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Security Note

This tool decodes JWTs entirely on your browser (client-side). Your tokens are never sent to our servers. However, you should always be cautious when pasting sensitive tokens (like production access tokens) into any online tool.

What it is

JWT Decoder

A JWT Decoder inspects the contents of a JSON Web Token by splitting its three parts (header, payload, signature) and Base64URL-decoding the first two. Utified JWT Decoder runs in your browser — tokens never leave your device.

Cost

Free, unlimited

Inspects

Header + Payload

Validates

Structure only (not signature)

Privacy

No network calls

When to use it

Debugging authentication issues during development
Checking which claims an OAuth provider returned
Inspecting token expiry (exp) and issued-at (iat) timestamps

How to use it

Paste your JWT

Drop a full token — three Base64URL-encoded segments separated by dots.

Read decoded header and payload

JSON-formatted view of each part. Common claims (iss, sub, exp) are highlighted.

Verify expiry locally

See whether the token is still valid based on its exp claim. Signature verification requires the secret/public key.

100% client-side. Tokens are decoded locally — never sent over the network.

Examples

Decode Sample Token

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Output

{"alg":"HS256","typ":"JWT"}

Decodes the token header

Inspect Payload Claims

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ

Output

{"sub":"1234567890","name":"John", "admin":true}

Displays the token's payload claims

Verify Token Signature

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Signature valid

Confirms the token's signature is valid

Common pitfalls

!
Invalid Token Format: Ensure the token is in the correct format, with three parts separated by dots. Incorrect format will result in decoding errors.
!
Missing Signature: Always verify the token's signature to ensure its authenticity and integrity.
!
Expired Token: Be aware of token expiration times to avoid using expired tokens, which can lead to authentication errors.
!
Incorrect Key: Use the correct secret key for signature verification to avoid false positives or negatives.

Frequently asked questions

What is a JSON Web Token?+

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

How do I decode a JWT?+

Use the JWT Decoder tool to paste the token and click decode.

What information does a JWT contain?+

A JWT contains a header, payload, and signature, which can include claims such as user identity or permissions.

Why is it important to verify a JWT's signature?+

Verifying the signature ensures the token's authenticity and integrity, preventing tampering or forgery.

Can I use the JWT Decoder for security testing?+

Yes, the JWT Decoder can be used for security testing to identify potential vulnerabilities in JWT handling.

Is the JWT Decoder free to use?+

Yes, the JWT Decoder is a free tool provided by Utified.

How do I report issues with the JWT Decoder?+

Contact Utified support to report any issues or provide feedback on the JWT Decoder.

Related Security Tools

Credit Card Validator

Secure client-side credit card number validation and issuer detection.

Open

Memorable Password Generator

Create memorable passwords with a mix of letters, numbers, and symbols for enhanced security.

Open

Password Strength Analyzer

Evaluate the strength and security of your passwords.

Open

JWT Decoder

Decode, verify, and debug JSON Web Tokens (JWT) securely on the client side.

Encoded Token

Label

Paste a JWT to decode it. No data is sent to any server.

Header

Algorithm & Token Type

{}

Payload

Data & Claims

{}

Signature

Verification

Signature verification requires a secret key.

Embed this tool on your site

Free · No account or API key required · 100% client-side

Free

JWT Decoder

Structure of a JWT

A JWT typically consists of three parts separated by dots (.):

Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

Security Note

What it is

JWT Decoder

Cost

Free, unlimited

Inspects

Header + Payload

Validates

Structure only (not signature)

Privacy

No network calls

When to use it

Debugging authentication issues during development
Checking which claims an OAuth provider returned
Inspecting token expiry (exp) and issued-at (iat) timestamps

How to use it

Paste your JWT

Drop a full token — three Base64URL-encoded segments separated by dots.

Read decoded header and payload

JSON-formatted view of each part. Common claims (iss, sub, exp) are highlighted.

Verify expiry locally

See whether the token is still valid based on its exp claim. Signature verification requires the secret/public key.

100% client-side. Tokens are decoded locally — never sent over the network.

Examples

Decode Sample Token

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Output

{"alg":"HS256","typ":"JWT"}

Decodes the token header

Inspect Payload Claims

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ

Output

{"sub":"1234567890","name":"John", "admin":true}

Displays the token's payload claims

Verify Token Signature

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaGFuIjoiMjMwfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

Signature valid

Confirms the token's signature is valid

Common pitfalls

!
Invalid Token Format: Ensure the token is in the correct format, with three parts separated by dots. Incorrect format will result in decoding errors.
!
Missing Signature: Always verify the token's signature to ensure its authenticity and integrity.
!
Expired Token: Be aware of token expiration times to avoid using expired tokens, which can lead to authentication errors.
!
Incorrect Key: Use the correct secret key for signature verification to avoid false positives or negatives.

Frequently asked questions

What is a JSON Web Token?+

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties.

How do I decode a JWT?+

Use the JWT Decoder tool to paste the token and click decode.

What information does a JWT contain?+

A JWT contains a header, payload, and signature, which can include claims such as user identity or permissions.

Why is it important to verify a JWT's signature?+

Verifying the signature ensures the token's authenticity and integrity, preventing tampering or forgery.

Can I use the JWT Decoder for security testing?+

Yes, the JWT Decoder can be used for security testing to identify potential vulnerabilities in JWT handling.

Is the JWT Decoder free to use?+

Yes, the JWT Decoder is a free tool provided by Utified.

How do I report issues with the JWT Decoder?+

Contact Utified support to report any issues or provide feedback on the JWT Decoder.