100% client-side · nothing leaves your browser

Decode a JWT

Paste a JSON Web Token to see its header and payload. This only decodes — it never verifies the signature, and the token never leaves your browser.

token

Decoding vs. verifying

A JWT's header and payload are just Base64URL-encoded JSON — anyone can decode them without a key, which is exactly what this tool does. Verifying the signature is a different operation entirely: it proves the token wasn't tampered with, and it requires the issuer's secret or public key, which this page never asks for or has access to. Don't treat a decoded-but-unverified token as trustworthy in your own code.

Common claims