JWT Decoder
Paste a JWT token below to decode the header and payload. Decoding does not verify the signature.
Note: this tool decodes only. It does not validate or verify signatures.
What is a JWT?
JWT (JSON Web Token) is a compact token format used for authentication and authorization.
A JWT usually has three parts: header, payload, and signature. This tool decodes header and payload locally in your browser and does not verify the signature.
How to use the JWT Decoder
- Paste a JWT token into the input field.
- The tool will decode the header and payload as formatted JSON.
- Copy the decoded JSON if you need it for debugging.
Tips
- If decoding fails, check that your token has three dot-separated parts.
- Claims like exp, iat, and nbf are usually UNIX seconds.
- If your token was copied with spaces or line breaks, remove them.
- Signature verification requires the secret or public key and is not done here.
Related guides
Learn the workflow behind this tool and what to check next.
How to inspect JWT auth issues
A JWT troubleshooting flow for checking token claims, time values, permissions, and signing assumptions without treating decoding as verification.
How to validate a domain before launch
A launch workflow for confirming DNS records, domain ownership signals, SSL coverage, and security headers on the public endpoint.
JWT inspection checks before troubleshooting auth
Decoding a JWT helps you verify claims and expiration metadata, but it does not prove that the token is trusted or accepted by your backend.
Expiration claims
Check exp, iat, nbf, timezone assumptions, and clock skew before investigating sessions or refresh token flows.
Audience and issuer
Confirm aud, iss, tenant, client_id, and environment values match the service that will validate the token.
Role and scope claims
Inspect scopes, roles, permissions, and feature flags when an authenticated request is accepted but unauthorized.
Signature caution
Decoded content is not verification. Never treat an unsigned or unverified token as proof of identity.
Privacy and usage
Built for quick checks without an account
Toolinix tools are designed for short developer tasks: paste a safe sample, inspect the result, copy what you need, and move on.
No login required
You can use the tools without creating an account, subscribing to a newsletter, or saving a workspace.
Local when possible
Formatters, generators, encoders, and text utilities generally run in your browser. Network diagnostics may need a server-assisted lookup to check public URLs, domains, or IPs.
Keep secrets out
Do not paste production passwords, private keys, access tokens, customer records, or regulated data into online tools unless your own security policy allows it.
Related tools
You may also find these tools useful.