VidBarTools
Install
All tools/Convert

JWT Decoder

Runs locally

Paste a JWT to inspect its header, payload, and signature. Token is decoded locally — nothing is sent anywhere.

JWT token

A JSON Web Token (JWT) is a compact, signed token used for authentication and passing claims between services. This JWT decoder splits a token into its header, payload, and signature and shows the decoded JSON — entirely in your browser, so your tokens are never transmitted.

How to decode a JWT

  1. 1Paste your JWT (the long string with two dots) into the decoder.
  2. 2See the header and payload decoded into readable JSON.
  3. 3Inspect claims like expiry (exp), issuer (iss), and subject (sub).

Anatomy of a JWT

A JWT has three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (the claims, such as user ID and expiry), and the signature that verifies it hasn't been tampered with. Decoding reveals the header and payload — note that anyone can read them, so never store secrets in a JWT payload.

Frequently asked questions

How do I decode a JWT?
Paste the token into the decoder above. It separates the header, payload, and signature and shows the header and payload as readable JSON.
Is it safe to paste my token here?
Yes. Decoding happens entirely in your browser — the token is never uploaded. Still, treat production tokens carefully and prefer expired or test tokens when possible.
Can the payload of a JWT be read by anyone?
Yes. The payload is only Base64-encoded, not encrypted, so anyone with the token can read its claims. The signature only proves the token wasn't altered — it doesn't hide the contents.