JWT Decoder

JWT structure

A JSON Web Token consists of three Base64url-encoded segments joined by dots: header.payload.signature. The header declares the signing algorithm (alg) and token type (typ). The payload contains claims like sub, iat, exp, and any application-specific fields. The signatureis computed over the first two parts with the issuer's secret or private key.

Why you can decode without a secret

JWTs are signed, not encrypted (unless they're JWEs). The header and payload are public — anyone can Base64url-decode them. The secret is only needed to verify that the signature is valid; it is not needed to read the contents. This JWT inspector decodes the segments locally so you can see exactly what is inside a token.

Security note

Avoid pasting real production tokens into any online tool. Even client-side tools run inside a browser tab that may have extensions or other scripts. For high-value tokens, decode locally with a CLI like jqor your language's JWT library.