JWT Decoder
Decode JWT headers and payloads with optional HMAC signature verification.
Decode only, or verify an HMAC-signed JWT with a shared secret.
Used only for HS256, HS384, and HS512 verification.
Decoded token
Run a tool to see output.
Paste a JSON Web Token to inspect its decoded header, payload, signature length, and registered time claims. Decoding is not validation; use the verification options when you have the correct shared secret.
How to Use
Paste a JSON Web Token to inspect its decoded header, payload, signature length, and registered time claims. Decoding is not validation; use the verification options when you have the correct shared secret.
- Open the tool : Start with JWT Decoder, then follow the steps below.
- Set the inputs : Adjust the fields to match the values you want to process.
- Run and copy : Use the action buttons, then copy or share the result if you need it elsewhere.
Common Questions
What does JWT Decoder help inspect or debug?
Decode JWT headers and payloads with optional HMAC signature verification.
Can I copy or export the result from JWT Decoder?
Yes. Use the copy button or any download option that appears after the result is generated.
Can a decoded JWT be modified and reused?
No. While anyone can freely decode the Base64Url payload of a JSON Web Token (JWT) to read its contents, modifying the data invalidates its cryptographic signature. The receiving server will immediately reject the token unless it is re-signed with the original private secret key.
Is it safe to store sensitive data in a JWT payload?
No. The payload of a standard JWT is only Base64 encoded, not encrypted. Any user or interceptor can decode the token and read the claims inside. Never place passwords, social security numbers, or private personal data inside a JWT payload.