Tool workspace
JWT decoder and JSON Web Token parser online
Decode JWT header, payload and useful token metadata in the browser.
JWT decoder
JWT decoder
bytes →
JWT decoder
Query parameters
IDN / Punycode
JWT decoder
..
Header
Payload
Metadata
· Expires:
Verify signature
Sign (HS)
JWT decoder
Pattern library
Highlighted matches
Matches ()
Replacement result
JWT decoder
Relative:
Timezone
Build from parts
Difference
JWT decoder
JWT decoder
JWT decoder
Examples
Token
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkRldlRvb2xHcmlkIn0.sig
Decoded payload
{
"sub": "1234567890",
"name": "DevToolGrid"
}
JWT Guides & articles
How JSON Web Tokens Work Without Hiding Their Contents
JWTs package claims into portable, signed tokens. Their value comes from verifiable integrity, not from keeping the payload secret.
Read articleJWT Security Mistakes and How to Avoid Them
Most JWT failures come from permissive verification, exposed bearer tokens, weak lifecycle decisions, and misplaced trust in readable claims.
Read articleJWT vs Sessions: Choosing an Authentication Model
JWTs and server-side sessions solve overlapping problems with different trade-offs in revocation, scale, privacy, and operational complexity.
Read articleJWT decoder
Decode JWT header, payload and useful token metadata in the browser. DevToolGrid Online offers a free JWT decoder and JSON Web Token parser online.
What is a JWT?
A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and authorization. It has three Base64URL parts separated by dots: a header (the signing algorithm), a payload (claims such as the user id and expiry) and a signature that protects the first two parts from tampering. The header and payload are only encoded, not encrypted.
How to decode and verify a JWT
- 1 Paste the token into the input; the header and payload are decoded instantly.
- 2 Read the claims and the human-readable expiry (exp) and not-before (nbf) status.
- 3 To verify, paste the secret for HS256/384/512 or the public key for RS/ES algorithms.
- 4 Optionally sign a new HS token from a header, payload and secret.
Common JWT mistakes
- Putting secrets in the payloadThe payload is only Base64-encoded and readable by anyone. Never store passwords or sensitive data in it.
- Not verifying the signatureDecoding a token does not prove it is genuine. Always verify the signature on the server.
- Ignoring expirationA token past its exp time must be rejected even if the signature is valid.
Decoding vs verifying a JWT
Decoding simply reads the header and payload — anyone can do it because those parts are not encrypted. Verifying checks the signature against a secret or public key to confirm the token was issued by a trusted party and was not modified. This tool decodes any token and verifies HS, RS, ES and PS signatures in the browser.
FAQ
Is this tool free?
Yes. The JWT decoder and verifier are completely free, with no sign-up.
Is my token sent to a server?
No. Decoding, verification and signing happen locally in your browser, so tokens never leave your device.
Is the signature actually verified?
Yes. Provide the secret or public key and the tool checks the signature with the Web Crypto API.
Is it safe to paste a production token?
Because everything runs locally, the token is not transmitted. Still, treat live tokens with care and prefer test tokens.