Do you verify JWT signatures?

No. This only decodes header and payload. Use a signature validator with the correct key to verify integrity.

Is my token uploaded or stored?

No. Decoding runs locally in your browser and clears on refresh.

Why do I get a padding or character error?

JWTs use Base64URL (characters A-Z, a-z, 0-9, -, _). Remove '+', '/', or adjust padding if needed.

Do you show expiry or audience problems?

We display the claims; you must interpret exp/aud/iss yourself. Expired tokens will still decode.

Should I paste production tokens?

Avoid pasting production or highly sensitive tokens. This runs locally, but keep secrets out of browsers when possible.

developer validator

JWT Decoder

Decode JWT headers and payloads client-side—no uploads, no signature verification, and no storage.

Results

Paste input and validate locally.

Status: Ready when you validate.
Details: Ready when you validate.
Header: Ready when you validate.
Payload: Ready when you validate.

How to use this validator

Paste the JWT string (header.payload.signature).
Click validate to Base64URL-decode header and payload locally.
Review alg/kid and claims (exp, aud, iss). If malformed, fix the token or regenerate it.

Rules & checks

Accepts 3-part JWTs using Base64URL segments (header.payload.signature).

Decodes header and payload only; signatures are NOT verified.

Supports unpadded Base64URL segments commonly used in JWTs.

Runs fully client-side/offline; tokens are not uploaded or stored.

Inputs explained

JWT
Paste the full token with three Base64URL segments separated by dots. Do not paste production or highly sensitive tokens.

When to use it

Inspect claims while debugging authentication flows.
Confirm header alg/kid before configuring signing/verification.
Check exp/aud/iss during QA of API clients or gateways.
Validate structure before passing tokens into downstream tooling.

Common errors

Missing one of the three segments (header, payload, signature).
Non-Base64URL characters in a segment.
Padded Base64 with '=' when provider expects unpadded Base64URL (or vice versa).
Expired tokens (exp in the past) — decoding works but claim shows expiration.

Limitations

No signature verification—only Base64URL decoding of header and payload.
Does not fetch JWKS or perform key discovery; bring your own keys for verification elsewhere.
Does not enforce claim semantics (expiry, audience) beyond showing their values.
Large tokens may be slow to display; keep tokens moderate in size.

Tips

Never paste production secrets; this tool does not verify signatures.
After decoding, verify signatures separately (e.g., JWT signature validator) with the right secret/key.
If you see padding errors, ensure segments are Base64URL (no + or /, often no =).
Redact sensitive claims before sharing screenshots in tickets.

Examples

Valid JWT

Three segments decode to readable JSON header/payload. Signature is not verified.

Malformed

Two segments only -> Invalid (JWT must have three parts).

Corrupted Base64URL

Bad characters or padding -> Invalid; fix encoding and retry.

HS token with wrong alg

Unexpected alg value -> decode still works but remind to verify manually.

Deep dive

This JWT decoder Base64URL-decodes headers and payloads entirely in your browser, so you can inspect alg, kid, exp, aud, and custom claims without uploading tokens.

Use it for quick auth debugging, then pair with a JWT signature validator to verify HS256/RS256 signatures using your own keys. Nothing is stored or sent to a server.

FAQs

Do you verify JWT signatures?: No. This only decodes header and payload. Use a signature validator with the correct key to verify integrity.
Is my token uploaded or stored?: No. Decoding runs locally in your browser and clears on refresh.
Why do I get a padding or character error?: JWTs use Base64URL (characters A-Z, a-z, 0-9, -, _). Remove '+', '/', or adjust padding if needed.
Do you show expiry or audience problems?: We display the claims; you must interpret exp/aud/iss yourself. Expired tokens will still decode.
Should I paste production tokens?: Avoid pasting production or highly sensitive tokens. This runs locally, but keep secrets out of browsers when possible.

Related validators

security

JWT Signature Validator (HS256)

Validate HS256 JWT signatures with a shared secret, fully client-side—no tokens or secrets ever leave your browser.

developer

Base64 Validator

Validate and decode standard or URL-safe Base64 entirely in your browser—no uploads or storage.

security

Password Strength Checker

Score password strength with clear, local checks—length, variety, and guidance without sending data anywhere.

security

Password Entropy Calculator

Estimate password entropy (bits) in-browser to see how length and character sets impact strength.

web

URL Validator & HTTP Link Parser

Validate HTTP and HTTPS URLs locally, parse host/path, and catch malformed links before publishing, importing, or sending them to APIs.

web

Security Headers SEO Validator & Public Site Hardening Checker

Validate public-site HTTP security headers for HTTPS trust, response hardening, framing protection, referrer leakage, browser permissions, and launch-readiness QA.

web

Open Graph & Twitter Card SEO Validator

Validate rendered Open Graph and Twitter/X card tags for search-result snippets, social previews, share-card images, absolute URLs, and launch QA before publishing.

developer

Regex Tester

Test regex patterns against sample text with live matches and errors.

developer

UUID Validator

Check UUIDs (v1–v5) for proper formatting before using them in requests or logs.

JWT decoding runs entirely in your browser. Tokens are not sent, logged, or stored.

Decoding only—no signature verification. Avoid pasting production secrets.