DevKitBase
ToolsAboutPrivacy

Decode a JWT to read claims — without treating decode as verify

Three Base64url segments. We parse header + payload to JSON and pretty-print claims (`exp` as human time when present). **We do not verify signatures** on this page — say that loudly.

chars: 123
JWT

When to use

Debugging auth failures and inspecting aud/iss/exp on a token you already have — not for forging sessions.

Examples

Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0IiwibmFtZSI6IkRldktpdEJhc2UifQ.sig
Output
header: {"alg":"HS256","typ":"JWT"}
payload: {"sub":"1234","name":"DevKitBase"}
Signature may show as unverified.

How it works

Split on `.` → base64url decode → JSON.parse header/payload. Optional warning if alg is none. Signature verification is optional/limited — this is not a full auth library.

Common pitfalls

  • Decode ≠ verify — don’t trust alg=none.
  • Payload is readable Base64; secrets don’t belong in JWT claims.
  • exp is usually seconds since epoch — use the timestamp tool if needed.

How this differs

Specialized Base64url peek for JWTs. Base64 Decode is general. JSON Formatter helps read payload JSON.

FAQ

Does decode prove the token is authentic?
**No.** Anyone can decode. Verification needs the key and crypto.
Is my token uploaded?
No.
Encrypted JWTs (JWE)?
Out of scope for this page.
Can I edit and re-sign here?
Not a goal of this tool.
Can I create signed JWTs here?
No — this page is for inspection/debugging, not issuing production tokens.

Related tools

Runs in your browser. Nothing is uploaded. Not a security product —hashes and JWT decode are for debugging, not password storage or auth advice.