JWT Decoder
About JWT Decoder
Paste a JSON Web Token to inspect its decoded header, payload, signature length, and registered time claims. Decoding is not validation; use the verification options when you have the correct shared secret.
How to Use
Paste a JSON Web Token to inspect its decoded header, payload, signature length, and registered time claims. Decoding is not validation; use the verification options when you have the correct shared secret.
- Open the tool : Go to JWT Decoder to use the tool.
- Review the controls : Check the available fields and actions before you start.
- Use the result : Run the action you need, then copy or share the output.
Common Questions
What does JWT Decoder help inspect or debug?
Decode JWT headers and payloads with optional HMAC signature verification.
Can I copy or export the result from JWT Decoder?
Yes. Use the copy button or any download option that appears after the result is generated.
Can a decoded JWT be modified and reused?
No. While anyone can freely decode the Base64Url payload of a JSON Web Token (JWT) to read its contents, modifying the data invalidates its cryptographic signature. The receiving server will immediately reject the token unless it is re-signed with the original private secret key.
Is it safe to store sensitive data in a JWT payload?
No. The payload of a standard JWT is only Base64 encoded, not encrypted. Any user or interceptor can decode the token and read the claims inside. Never place passwords, social security numbers, or private personal data inside a JWT payload.
Fields
- Verification mode - Decode only, or verify an HMAC-signed JWT with a shared secret.
- Shared secret - Used only for HS256, HS384, and HS512 verification.
Actions
- Decode JWT