JWT debugger
Decode the header and payload of a JSON Web Token, privately.
Your token is decoded only in your browser. Nothing is uploaded.
How to use this tool
- Paste a complete token into the box.
- Click Decode. The header and payload appear as readable JSON.
What a JWT contains
A JSON Web Token has three parts separated by dots: a header, a payload, and a signature. The header and payload are Base64Url encoded JSON, so they can be read by anyone. The signature is what proves the token has not been changed. This tool decodes the readable parts so you can inspect claims like the subject, issued-at, and expiry.
A note on safety
This tool only decodes. It does not verify the signature and you should never paste a real production token into any website you do not control. Because the decoding here runs entirely in your browser, the token never leaves your device, but it is still good practice to use test tokens.
Common questions
Why did decoding fail?
A token needs three dot-separated parts. If it is truncated or you pasted only the payload, decoding cannot run.
Does it check if the token is valid?
No. Verifying the signature needs the secret or public key, which stays on your server. This tool only shows what is inside.