ToolHub

JWT Decode (no verify)

Decode JWT header/payload.

Runs locally in your browser by default; no upload.
Guide for this tool →

ToolHub ProRemove ads and unlock one-click file export on text-output tools below (image tool keeps its own download).

JWT
Output

You may also need

Base64 Encode / DecodeURL Encode / DecodeHTML Entity Encode / DecodeBase64URL Encode / DecodeHex EncodeHex Decode

About

Decode JWT header and payload to inspect claims like exp, iat, aud, iss, and custom fields. This tool does not verify signatures — it’s for debugging and troubleshooting. Runs locally in your browser.

Use cases

  • Check token expiry (exp) when users report random logouts.
  • Inspect scopes/roles in the payload during auth debugging.
  • Compare two tokens to see what changed after a refresh.

Common pitfalls

  • Never trust decoded claims without verifying the signature server-side.
  • Watch out for exp being in seconds since epoch (not ms).
  • JWT segments are Base64URL; standard Base64 decoders may fail or show garbled results.

Examples

Input

header.payload.signature

Output

{
  "header": { ... },
  "payload": { ... }
}

FAQ

Why doesn’t this verify the signature?

Verification requires the signing key/public key and exact algorithm settings. This tool focuses on inspection; verify on your server.

Is decoding a JWT secure?

Decoding is just Base64URL parsing. Don’t treat decoded data as trusted unless you verify the signature.

Do you upload my token?

No. Decoding happens locally in your browser.

What’s the difference between JWS and JWE?

JWS is signed (readable payload), JWE is encrypted (payload is not readable without decryption). This tool is for readable JWTs.

Limitations

  • No signature verification (do that server-side with the correct key and algorithm).
  • A decoded payload does not prove authenticity; it only shows what the token claims.

Recommended

Affiliate slots. Configure real links via environment variables.

No recommendations configured.