JWT Decode Online — Header, Payload & Signature

Paste a JWT token to inspect its header and payload as formatted JSON. The signature is shown separately — we do not verify signatures or send your token to any server.

Loading…
JWT decode — inspect tokens locally
Decode JSON Web Token headers and payloads in your browser. Signature verification is out of scope — use your identity provider or JWKS workflows for trust decisions.

How JWT decode works here

Paste the full token (three Base64URL segments separated by dots). Header and payload render as formatted JSON; the signature segment is shown as raw text. Decoding is not verification — anyone can read JWT claims. Never treat decoded content alone as proof of authenticity.

Privacy & limits

Tokens never leave your browser tab. We do not fetch JWKS keys, validate exp/nbf, or accept shared secrets in Wave A. Pair with the Base64 tool if you need to inspect individual segments manually.

Typical workflow

OAuth access token

Sample input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Expected output

Header shows alg/typ; payload shows sub, exp, scopes.

Debugging 401 errors

Sample input

Paste token from Network tab

Expected output

Check exp claim and issuer before blaming API routes.

Related encode utilities

Percent-encode redirect URLs with the URL encoder or inspect Base64 fragments via the Base64 tool.

JWT decode FAQ

Decode ≠ verify

Does this verify signatures?

No. We only Base64URL-decode header and payload. Use your auth server or a verifier with the correct keys for trust.

Is my token sent to FastMinify?

Never — decoding runs entirely in your browser.

Can I paste refresh tokens safely?

Processing stays local, but treat tokens as secrets — avoid screen sharing and clear the field when done.

Looking for converters, encoders, formatters, and minifiers in one place? Developer tools hub Open the curated developer tools catalogue.