Curated picks
JWT decoder
Debug tokens and compare claims with what your API expects after real verification.
Try it
JWT decoder
Paste a JWT (three Base64URL segments separated by dots). We decode the header and payload to formatted JSON. The signature is shown only as a reminder — it is not verified.
This tool does not verify signatures or check expiry. Treat decoded claims as untrusted until your server validates the token.
What a JWT is
A JSON Web Token is typically header.payload.signature. Header and payload are Base64URL-encoded JSON. The signature proves integrity when checked with the correct key.
Why verification matters
Anyone can forge a payload unless your service checks the signature (and common claims like exp). Never trust decoded JSON alone for authorization.
Privacy
Decoding happens locally. Still avoid pasting production tokens into shared machines or untrusted sites.