How to Decode a JWT (and Verify It Safely)
A JSON Web Token (JWT) looks like a long string of gibberish, but it is really three Base64URL-encoded parts that anyone can read. Decoding one lets you debug authentication issues — check who the token is for, what permissions it carries, and whether it has expired. Here is how to do it, and how to do it safely.
The tool
JWT Debugger
Step by step
- Open the JWT DebuggerGo to the JWT Debugger — it runs entirely in your browser, so your token is never uploaded.
- Paste the tokenPaste the full token (header.payload.signature). The header and payload decode instantly.
- Read the claimsInspect the algorithm, subject, and standard time claims (iat, nbf, exp). The tool flags whether the token is valid, expired, or not yet active.
- Verify the signature (optional)For HMAC tokens (HS256/384/512), enter the shared secret to confirm the signature is valid — the check runs locally with the Web Crypto API.
Why you should decode JWTs locally, not on a random website
A JWT is encoded, not encrypted — its payload is plain, readable JSON to anyone who has the token. Access tokens often grant real permissions, so pasting one into an unknown online decoder means handing a working credential to that site’s server.
This tool decodes and verifies entirely in your browser: nothing — not the token, not the secret — is sent anywhere. That is the safe way to debug a token you actually use.
What the three parts mean
The header says how the token is signed (for example, the algorithm HS256 or RS256). The payload holds the claims — the subject (sub), issued-at (iat), expiry (exp), and any custom data. The signature is what proves the token has not been tampered with.
Decoding shows the header and payload; verifying the signature requires the secret (for HMAC) or the issuer’s public key (for RSA/ECDSA).
Checking expiry
The exp claim is a Unix timestamp for when the token stops being valid; nbf is when it starts. The debugger converts both to readable dates and tells you whether the token is currently within its validity window — the quickest way to explain an “unexpected 401”.
Frequently asked questions
Can I decode a JWT without the secret?
Yes. The header and payload are only Base64URL-encoded, so they decode without any key. You only need the secret (or public key) to verify the signature, not to read the contents.
Is it safe to paste an access token?
In this tool, yes — everything runs in your browser and nothing is uploaded. Avoid pasting real tokens into decoders that process them server-side, since a JWT is a working credential.
Which signatures can it verify?
HMAC algorithms (HS256, HS384, HS512) with a shared secret, verified locally via the Web Crypto API. RSA/ECDSA tokens are decoded but signature-verified with a public key on your server.