Is decoding the same as verifying?

No. Decoding reveals the contents; verification proves the token is authentic and unaltered. Decoding requires only the token text. Verification requires the secret (HMAC) or public key (asymmetric) and is essential before trusting any claims.

Can I read JWTs without the secret?

Yes. JWTs are not encrypted by default. The header and payload are base64-encoded JSON, readable by anyone with the token text. Only the signature requires keys to verify.

What's the signature for?

The signature proves the token was issued by someone holding the secret or private key, and that nothing in the header or payload has been altered since signing. Without verification, claims could be anything.

What does each part of the token contain?

The first part (header) contains algorithm and type metadata. The second (payload) contains the claims. The third (signature) is cryptographic proof of authenticity.

Why are some tokens missing a signature?

Tokens with alg: none have no signature. They are valid JWTs by spec but provide no authenticity guarantees and should not be accepted in production.

Standard JWT payloads are signed but not encrypted. JWE (JSON Web Encryption, RFC 7516) is a separate format for encrypted tokens. Most JWTs in the wild are JWS (signed only).

Is my token uploaded to a server?

No. Decoding happens in your browser; the token does not leave your device.

How long are JWTs typically?

Anywhere from a few hundred to several thousand characters. Length depends on the number and size of claims plus the signature length (which depends on algorithm).

JWT Token Decoder | Any-Tools.net

About JWT Decoding

JSON Web Tokens (JWT) are a compact, URL-safe format for transmitting claims between two parties, defined by RFC 7519. A JWT is three base64url-encoded segments separated by dots: header (algorithm and token type), payload (claims), and signature (cryptographic proof of authenticity). The header and payload are JSON, base64url-encoded for URL safety; the signature uses one of several algorithms (HS256, RS256, ES256, and others) over the encoded header and payload.

Decoding a JWT — splitting it into segments and base64-decoding each — does not require any secret. Anyone with the token text can read its header and payload. The signature, however, can only be verified with the secret (HMAC) or public key (asymmetric). Decoding is for inspection; verification is what proves authenticity.

This decoder splits the token, base64-decodes each segment, parses the header and payload as JSON, and shows the result. It does not attempt signature verification because that requires the secret or public key, which the decoder does not have. The decoded output is read-only inspection — useful for debugging tokens but not a substitute for proper verification in application code.

Why Decode JWTs

Debugging authentication issues almost always involves inspecting tokens. A token that looks valid in code may have wrong claims, an unexpected algorithm, an expired exp timestamp, or audience mismatch. Decoding the token reveals exactly what the issuer produced.

Inspecting tokens during integration work also helps. When connecting to a third-party API or identity provider, the actual claim names, formats, and structure are best understood by decoding sample tokens rather than relying on documentation that may be outdated.

How to Decode a JWT

Paste the token, get the parsed contents.

Paste your JWT: Drop the full token (header.payload.signature) into the input area. The decoder accepts tokens with or without the optional Bearer prefix.
Inspect the header: The header shows the signing algorithm (alg) and token type (typ). Common algorithms are HS256, RS256, and ES256. Watch for alg: none, which signals an unsigned token and is rarely safe in production.
Inspect the payload: The payload contains the claims: iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and any application-specific claims. Standard timestamps are Unix epoch seconds.
Verify separately: The decoder does not verify the signature. To check authenticity, run the token through a JWT library with the appropriate secret or public key in your application code.

Common Use Cases

Debugging expired token errors — Decoding the token reveals the exp claim. Compare against the current time to confirm whether expiration is the actual cause.
Understanding claims structure of a third-party token — Identity providers (Auth0, Okta, Cognito) issue tokens with provider-specific claim layouts. Decoding sample tokens shows the actual structure.
Inspecting tokens during integration — When integrating SSO or OAuth flows, decoding tokens at each step helps verify the data is shaped as expected.
Auditing token contents for sensitive data — Tokens are not encrypted by default; the payload is readable. Decoding existing tokens helps confirm sensitive data is not being included by accident.
Verifying audience and issuer claims — Defending against token confusion requires correct aud and iss handling. Decoding tokens during testing confirms these claims are populated correctly.

Technical Details

JWT format is three segments joined by dots. Each segment is base64url-encoded — the URL-safe variant of base64 that uses - and _ instead of + and /, with padding sometimes omitted. Decoding requires undoing the URL-safe substitutions, padding the segment, and base64-decoding.

The header and payload are JSON after decoding. The signature segment is binary (raw signature bytes) and is not human-readable; it requires the verification key to be useful.

Common claims defined in RFC 7519: iss (issuer), sub (subject identifier), aud (audience), exp (expiration as Unix epoch seconds), nbf (not-before timestamp), iat (issued-at timestamp), jti (unique token ID). Application-specific claims can appear with any name.

Best Practices

Never trust an unverified JWT — Decoding only reveals the contents; it does not prove authenticity. Always verify the signature with the proper key in application code before trusting the claims.
Watch for alg: none — Tokens with alg: none have no signature. Application code that accepts them is vulnerable to forgery. Always require a specific algorithm in your verification configuration.
Be cautious with sensitive data in payloads — JWT payloads are readable by anyone with the token. Encrypt the payload (use JWE) if it contains data that must be secret.
Validate exp before processing — An expired token should be rejected even if the signature is valid. JWT libraries typically check exp automatically; verify your library does.

Frequently Asked Questions

Is decoding the same as verifying?: No. Decoding reveals the contents; verification proves the token is authentic and unaltered. Decoding requires only the token text. Verification requires the secret (HMAC) or public key (asymmetric) and is essential before trusting any claims.
Can I read JWTs without the secret?: Yes. JWTs are not encrypted by default. The header and payload are base64-encoded JSON, readable by anyone with the token text. Only the signature requires keys to verify.
What's the signature for?: The signature proves the token was issued by someone holding the secret or private key, and that nothing in the header or payload has been altered since signing. Without verification, claims could be anything.
What does each part of the token contain?: The first part (header) contains algorithm and type metadata. The second (payload) contains the claims. The third (signature) is cryptographic proof of authenticity.
Why are some tokens missing a signature?: Tokens with alg: none have no signature. They are valid JWTs by spec but provide no authenticity guarantees and should not be accepted in production.
Are JWTs encrypted?: Standard JWT payloads are signed but not encrypted. JWE (JSON Web Encryption, RFC 7516) is a separate format for encrypted tokens. Most JWTs in the wild are JWS (signed only).
Is my token uploaded to a server?: No. Decoding happens in your browser; the token does not leave your device.
How long are JWTs typically?: Anywhere from a few hundred to several thousand characters. Length depends on the number and size of claims plus the signature length (which depends on algorithm).

JWT Token Decoder

Related Tools

URL Encoder / Decoder

Base64 Encoder / Decoder

JSON Formatter & Validator

XML Formatter & Validator

About JWT Decoding

Why Decode JWTs

How to Decode a JWT

Common Use Cases

Technical Details

Best Practices

Frequently Asked Questions

Related Articles

Essential Developer Tools: JSON, Base64, RegEx, and More

Hashing, Encryption, and Encoding Explained: A Developer's Security Guide

Spreadsheet & Data Conversion Guide: Excel, CSV, JSON, and More

Why Browser-Based Tools Are the Future: No Installs, No Uploads, No Risk