Decode a JWT to read claims — without treating decode as verify
Three Base64url segments. We parse header + payload to JSON and pretty-print claims (`exp` as human time when present). **We do not verify signatures** on this page — say that loudly.
chars: 123
When to use
Debugging auth failures and inspecting aud/iss/exp on a token you already have — not for forging sessions.
Examples
How it works
Split on `.` → base64url decode → JSON.parse header/payload. Optional warning if alg is none. Signature verification is optional/limited — this is not a full auth library.
Common pitfalls
- Decode ≠ verify — don’t trust alg=none.
- Payload is readable Base64; secrets don’t belong in JWT claims.
- exp is usually seconds since epoch — use the timestamp tool if needed.
How this differs
Specialized Base64url peek for JWTs. Base64 Decode is general. JSON Formatter helps read payload JSON.
FAQ
Does decode prove the token is authentic?
**No.** Anyone can decode. Verification needs the key and crypto.
Is my token uploaded?
No.
Encrypted JWTs (JWE)?
Out of scope for this page.
Can I edit and re-sign here?
Not a goal of this tool.
Can I create signed JWTs here?
No — this page is for inspection/debugging, not issuing production tokens.
Related tools
Runs in your browser. Nothing is uploaded. Not a security product —hashes and JWT decode are for debugging, not password storage or auth advice.