JWT Decoder

Decode and inspect the header and payload of a JWT token.

Header

    
Payload

    

ToolsSoup's JWT Decoder is a free online tool that decodes a JSON Web Token and shows its header and payload as clean, readable JSON — instantly and entirely in your browser. Your token is never uploaded or logged, so you can safely inspect the claims inside any JWT without it ever leaving your device.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties, most often used for authentication and authorization. It is made of three Base64URL-encoded parts separated by dots: a header that describes the signing algorithm, a payload that holds the claims (such as the user ID and expiry time), and a signature used to verify that the token has not been tampered with.

How to decode a JWT online

Inspecting a token with ToolsSoup takes just a few seconds:

  1. Paste your JWT into the input box. It should look like xxxxx.yyyyy.zzzzz.
  2. Click Decode to reveal the header and payload as formatted JSON.
  3. Read the claims, then copy either section with one click.

Does this verify the JWT signature?

No. This tool decodes and displays the contents of a token — it does not verify the signature, because verification requires the secret or public key that signed it. Decoding shows you what a token claims; verification proves those claims are authentic. Always verify signatures on the server before trusting a token, and never rely on decoded claims alone for security decisions.

Why use this JWT decoder?

  • 100% free with no ads, sign-up, or usage limits.
  • Runs entirely in your browser — your token is never uploaded to a server.
  • Shows the header and payload as clean, indented JSON.
  • Full Unicode support for claims containing non-ASCII characters.
  • Works offline once the page has loaded.

Frequently asked questions

Is this JWT decoder free?

Yes. Every tool on ToolsSoup is completely free to use, with no account, sign-up, or hidden limits.

Is it safe to paste my JWT here?

Yes. All decoding happens locally in your browser using JavaScript, so your token is never sent to or stored on any server. That said, treat any JWT as a secret and avoid sharing it where others can see your screen.

Does this tool verify the token's signature?

No. It only decodes the header and payload. Verifying the signature requires the signing key and should be done on the server before you trust a token.

Are JWTs encrypted?

Standard signed JWTs are not encrypted — they are only Base64URL-encoded, so anyone can read the payload. Never put sensitive data in a JWT unless you are using an encrypted JWT (JWE).

Why am I getting an 'Invalid JWT' error?

A JWT must have exactly three parts separated by dots, and each part must be valid Base64URL-encoded JSON. Common causes are a copied token that is missing a section, extra whitespace, or pasting only part of the token.