A JSON Web Token, or JWT, is a compact token format used for authentication and authorization in modern web APIs. It consists of three Base64url-encoded segments separated by dots: a header that describes the signing algorithm, a payload that carries claims (typically the user identity and expiration time), and a signature that proves the token was issued by a trusted party. This decoder splits any JWT you paste into its three parts, decodes the header and payload as JSON, and displays them in a readable format. It does not verify the signature, because verification requires the issuer's secret or public key. This tool is for inspection and debugging: checking that the claims are what you expect, confirming the token has not expired, or comparing what the server actually issued against what your client is sending. Everything happens in your browser. The token never leaves the page.
Frequently asked questions
No. Signature verification requires the issuer's signing key, which the decoder does not have. This tool only decodes the token so you can read what is inside. Use a library on your server to verify signatures before trusting any token in production code.