Ready
Enter a token to see the decoded content.
Guide
A JWT Decoder parses a JSON Web Token and reveals the header, payload, and signature components in a human-readable format. JWTs are the dominant authentication token format in modern web applications — used by OAuth 2.0, OpenID Connect, most REST APIs, and virtually every SaaS identity provider including Auth0, AWS Cognito, Firebase Auth, and Okta. Understanding what's inside a JWT is an essential skill for anyone working with APIs or authentication systems.
A JSON Web Token has three parts separated by dots: header.payload.signature. The header and payload are Base64URL-encoded JSON objects. The signature is a cryptographic hash of the header and payload, computed using a secret (for HMAC algorithms) or a private key (for RSA/ECDSA algorithms).
The header declares the token type (JWT) and the signing algorithm (HS256, RS256, ES256, etc.).
The payload contains "claims" — statements about the subject. Standard claims include sub (subject/user ID), iss (issuer), aud (audience), exp (expiration timestamp), iat (issued-at timestamp), and nbf (not-before timestamp). Applications typically add custom claims for roles, permissions, and user metadata.
The signature prevents tampering. Without the secret or public key, an attacker cannot forge a valid JWT. However, the payload is NOT encrypted — it is only Base64URL-encoded, which anyone can reverse. Never put passwords, SSNs, payment card numbers, or other sensitive secrets in a JWT payload.
Debugging authentication failures: When a user gets a 401 or 403 response, inspecting the JWT reveals whether the token has expired (exp), whether the audience claim (aud) matches the expected service, or whether the required role claim is missing.
Verifying token contents during development: When integrating with a third-party identity provider, decoding the received token confirms that the expected claims are present before writing code that depends on them.
Security audits: Checking whether JWT tokens in a system contain sensitive data in the payload that should be encrypted rather than merely encoded.
Token expiry calculations: The exp and iat claims are Unix timestamps. Decoding reveals exactly when a token was issued and when it expires, expressed as human-readable dates.
The UtilsGo JWT Decoder performs all decoding in your browser. JWTs — which may contain user IDs, roles, and session data — are never transmitted to any server.
Parse JWT strings instantly as you paste them, showing Header, Payload, and verification status.
Your JWT credentials never touch any external server. Complete privacy for API authorization keys.
Pretty-prints Header and Payload JSON structures with standard indentation and syntax highlighting.
Everything runs inside your web browser. We never upload your text, files, or personal data to any servers.
No sign-ups, no subscriptions, and no usage limits. Get your results instantly in a single click.
"Debugging JWTs has never been easier. Works perfectly for API testing."
Ryan Chen
"Clear payload display. Saved me hours of manual decoding."
Hannah White
Thousands of users trust UtilsGo daily