How to Decode a JWT Token (Safely, In Your Browser)
Learn what a JWT is, how its header, payload, and signature work, and how to decode one safely in your browser with a free JWT decoder.
A JSON Web Token (JWT) looks like a random string of dots and characters, but it's actually three Base64Url-encoded segments containing readable data. Decoding it is essential for debugging authentication issues.
Anatomy of a JWT
A JWT has three parts separated by dots: header.payload.signature.
- Header — algorithm and token type (e.g. HS256, JWT)
- Payload — the claims (user ID, expiry, custom data)
- Signature — used to verify the token wasn't tampered with
Decode in seconds
Paste your JWT into our JWT Decoder to see the header and payload as formatted JSON. The decoding happens entirely in your browser — no tokens are sent to any server, which matters because JWTs often contain session credentials.
Decoding ≠ verifying
Anyone can decode a JWT — the data is just Base64. Only the holder of the signing secret can verify the signature is authentic. Never trust JWT claims in a backend without verifying the signature first.
Related developer tools
If you're working with the raw segments, decode them individually with our Base64 Encoder / Decoder tool. Once you have the JSON payload, pretty-print it with the JSON Formatter & Validator for easier reading.