TextArray
100% local

JWT decoder

Decode a JSON Web Token and read its header and payload — without verifying the signature.

Input
Output

JWT decoder

Paste a JSON Web Token and this decoder splits it into its dot-separated parts, decodes the Base64URL header and payload, and formats both as readable JSON. Use it to debug login flows, inspect access and ID tokens from OAuth and OpenID Connect providers, check which claims your backend actually issues, or find out why a request keeps coming back as 401.

Time claims are the most common reason to open a token. With the date option enabled, the decoder lists exp (expiry), iat (issued at) and nbf (not before) a second time as ISO 8601 timestamps, so you can see at a glance whether a token has already expired or is not valid yet. The tally under the output shows the signing algorithm from the header and how many claims the payload carries.

One thing this tool deliberately does not do: verify the signature. Checking a signature requires the signing secret or the issuer's public key, and a secret pasted into a web page is a secret leaked. The decoder shows the token's contents and always marks the signature as not verified — treat every decoded token as unauthenticated data.

Decoding happens entirely in your browser; the token never leaves your device and nothing is sent to any server. That matters more here than almost anywhere else, because even a short-lived staging token grants access to something. Tokens wrapped across several lines and values copied with a Bearer prefix are cleaned up automatically before decoding.

FAQ

Does it verify the signature?
No. Verification needs the signing secret or the issuer's public key, and those should never be pasted into a website. The decoder shows the header and payload and always marks the signature as not verified.
Is my token uploaded anywhere?
No. Decoding runs entirely in your browser and the token never leaves your device. Still, prefer expired or test tokens when you share screenshots.
Why are exp and iat plain numbers?
JWT time claims are Unix timestamps — seconds since 1 January 1970 UTC. Keep the date option on and the decoder prints them a second time as ISO 8601 dates.
Which tokens can it decode?
Compact JWS tokens with two or three dot-separated parts, including unsigned alg none tokens and values copied with a Bearer prefix. Encrypted JWE tokens (five parts) can't be decoded without the key.