RUNWEBTOOLS
English

JWT Decoder

Decode and inspect JSON Web Tokens.

Live — decodes as you type

Use on any page (bookmarklet)

Want JWT Decoder without leaving the page you're on? Drag the button below to your bookmarks bar, then click it on any website to open JWT Decoder right there — it runs entirely in your browser.

JWT Decoder← drag this to your bookmarks bar

Use responsibly: a bookmarklet runs on whatever page you click it on. Avoid sensitive sites such as online banking, payment, or healthcare pages — you run it at your own risk. Everything is processed locally and no data is sent anywhere. See our Terms.

  1. Show your bookmarks bar if it's hidden — Ctrl+Shift+B (+Shift+B on Mac).
  2. Drag the button above onto the bookmarks bar.
  3. Open any website and click the bookmark — the JWT Decoder panel appears in the top-right corner. Use ✛ to move it between corners, or ›/‹ to tuck it against the edge and pull it back out.
  4. Click the bookmark again (or the ✕) to close it.
Can't drag? Copy it and create a new bookmark with this as the URL:

Note: a few sites with strict security policies may block bookmarklets.

Examples

Decode header & payload

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IlJ1bldlYlRvb2xzIn0.abc

Output

Header:  { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "RunWebTools" }

Inspect the algorithm & role

Input

eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJyb2xlIjoiYWRtaW4ifQ.sig

Output

Header:  { "alg": "RS256", "typ": "JWT" }
Payload: { "role": "admin" }

About this tool

This free online JWT decoder reads a JSON Web Token and shows its header and payload as formatted JSON, right in your browser. Paste a token and it decodes live. Everything runs locally with no upload — your token never leaves your device.

How to use

  1. Paste your JWT into the input (or click Sample).
  2. Read the decoded header and payload, and copy either one.
  3. Check the time claims to see when the token was issued or expires.

What the decoder shows

  • Header — the signing algorithm (alg) and type, so you can confirm a token uses, say, HS256 or RS256.
  • Payload — every claim, formatted as readable JSON.
  • Time claimsiat, exp, and nbf are shown as human dates, with a flag when a token has already expired.

Common uses

  • Debug a login flow by checking what claims a token actually carries.
  • See whether an expired token is why a request returns 401.
  • Confirm a user's role or scope inside the payload.
  • Verify the algorithm matches what your API expects.

Decode is not verify (important)

A JWT's payload is base64url-encoded, not encrypted, so anyone can read it — never put secrets in it. This tool decodes for inspection but does not verify the signature, which needs the signing key. On a server, always verifya token before trusting it; decoding alone proves nothing. Since everything here runs locally with no upload, it's safe to inspect real tokens. Learn how it all fits together in our guide to JWTs, and read time claims with the timestamp converter.

Frequently asked questions

Is this JWT decoder free?

Yes — it's a completely free online JWT decoder with no sign-up.

Is my token sent to a server?

No. The token is decoded entirely in your browser with no upload, so it never leaves your device — important, since tokens are sensitive credentials.

Does it verify the signature?

No. This is a decoder/inspector — it reads the header and payload but does not verify the signature, which requires the secret or public key. Never trust an unverified token on a server.

What's inside a JWT?

Three base64url parts separated by dots: a header (algorithm and type), a payload (claims like sub, iat, exp), and a signature. This tool decodes the header and payload.

Is the payload encrypted?

No. A standard JWT payload is only base64url-encoded, not encrypted — anyone can read it. Never put secrets in a JWT payload.

What do iat and exp mean?

They are Unix timestamps: iat is when the token was issued and exp is when it expires. The tool shows them as readable dates and flags whether the token has expired.

Can I decode a token I selected on another page?

Yes — add the bookmarklet, select a token on any page, and click it to decode the selection on the spot.

Learn more

Related tools