jwt decoder.
Paste a JSON Web Token. See the decoded header, payload, and signature. Purely client-side — no network, no logging, your token never leaves the browser.
/ what is a JWT?
A JSON Web Token is three base64url-encoded segments separated by dots: header.payload.signature. The header declares the signing algorithm. The payload contains claims (subject, expiry, issuer, custom fields). The signature is the HMAC or RSA/ECDSA signature of header.payload keyed by the issuer's secret.
Security note: a decoded JWT is not a verified JWT. This tool decodes — it does not check the signature. To verify in production you need the issuer's public key (for RS256/ES256) or the shared secret (for HS256). Never trust JWT claims without signature verification.
AFTERHEX — streetwear for the hidden layer. We make hoodies + tees for people who type // ignore previous instructions into every input field. See the drops.