JWT Decoder
Decode and verify JSON Web Tokens. Inspect headers, payloads, and registered claims, and check signatures with HMAC, RSA, RSA-PSS, or ECDSA keys.
Decoded entirely in your browser. Tokens and keys never leave your device.
Encoded
Paste the JWT — three base64url segments separated by .
Decode and verify JSON Web Tokens locally — no token leaves your browser.
Paste your own or pick an example below.
Paste a JWT to decode it.
About JWT
A JSON Web Token has three base64url-encoded segments separated by dots: header (algorithm and type), payload (claims), and signature. Decoding only requires base64url + JSON; verification additionally checks the signature with the issuer's secret or public key.
Security notes
alg: nonemeans the token is unsigned. Never trust it for authentication.- Watch for the classic
RS256 → HS256confusion attack: an attacker can swap the algorithm and sign with the public key as a shared HMAC secret. Always pin the expected algorithm server-side. - Header
algis not authoritative — your verifier must enforce the algorithm it expects, not the algorithm the token claims.