JWT Decoder
Decode and inspect JSON Web Token payloads without signature verification.
This tool only decodes the JWT β it does NOT verify the signature. Never share sensitive tokens.
JWT Decoder decodes JSON Web Tokens (JWTs) so you can inspect the header, payload, and signature without writing any code. A JWT is a compact, URL-safe token that consists of three Base64-encoded sections separated by dots: the algorithm header, the claims payload, and a cryptographic signature.
Paste any JWT into the input field and the tool instantly breaks it into its three components and pretty-prints the JSON inside each section. You can see the token's expiration time, issued-at timestamp, user claims, and any custom fields embedded by the issuer.
This tool only decodes β it does not verify the signature. Always validate JWTs on the server side using the appropriate secret or public key before trusting the claims. No token data leaves your browser.
Frequently Asked Questions
Code Implementation
import jwt # pip install PyJWT
token = "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNzAwMDAwMDAwLCJleHAiOjE3MDAwMDM2MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c"
secret = "your-256-bit-secret"
# Decode and verify signature + expiry
try:
payload = jwt.decode(token, secret, algorithms=["HS256"])
print(payload)
# {"sub": "1234567890", "name": "Alice", "iat": 1700000000, "exp": 1700003600}
except jwt.ExpiredSignatureError:
print("Token has expired")
except jwt.InvalidTokenError as e:
print(f"Invalid token: {e}")
# Decode without verification (inspect only β never trust unverified)
unverified = jwt.decode(token, options={"verify_signature": False})
print(unverified)
# Decode manually (no library) β Base64Url decode the payload
import base64, json
parts = token.split(".")
# Add padding back (Base64Url omits =)
payload_b64 = parts[1] + "=" * (-len(parts[1]) % 4)
payload = json.loads(base64.urlsafe_b64decode(payload_b64))
print(payload)
# Encode (create) a JWT
encoded = jwt.encode({"sub": "123", "name": "Alice"}, secret, algorithm="HS256")Comments & Feedback
Comments are powered by Giscus. Sign in with GitHub to leave a comment.