For debugging only. Never trust a token based on decoding alone—always verify signatures and issuer on your server.
—
—
—
For debugging only. Never trust a token based on decoding alone—always verify signatures and issuer on your server.
—
—
—
JWT decoding is useful when you want to inspect the header and payload of a token without guessing at the encoded text. You can quickly see claims such as the subject, issuer, audience, or expiration time in a readable JSON format.
Seeing the contents of a token does not prove the signature is valid. Treat this page as a debugging aid only, then verify the signature and expiry in your authentication service before trusting the claims in a real application.
JSON Web Tokens carry a header (algorithm, type), payload (claims such as sub, exp, aud), and signature. This page base64url-decodes the first two parts for inspection.
Decoding is not verification. Anyone can read an unsigned or encoded token; only your auth service should trust a token after signature and expiry checks.
Paste a JWT to view decoded header and payload JSON. Useful when debugging auth flows, checking expiry (exp), or verifying audience (aud) claims during development.
Never paste production tokens on shared computers. Decoding does not validate signatures — use your identity provider for trust decisions.