JWT Decoder Tool - Free, No Sign-Up Required
Overview
JSON Web Tokens carry authentication state between client and server, but reading the raw Base64url string tells you nothing. This decoder splits the three dot-separated segments, decodes each from Base64url, and displays the JSON. You can also verify HMAC signatures against a secret without writing a line of code.
How to Use This Tool
Paste your JWT. The header and payload appear as formatted JSON immediately. For signature verification, choose the HMAC algorithm from the dropdown, type your secret key, and check the result badge. The tool also shows expiry, issued-at, and not-before times in a human-readable format.
Ready to get started? It's free, no registration required, and your files never leave your device.
PDF Tool →Frequently Asked Questions
What information is in the JWT header?
The header contains the algorithm (alg), token type (typ), and sometimes a key ID (kid). For example: {"alg": "HS256", "typ": "JWT"}. The algorithm field tells the server which signing method to use during verification.
Can I decode a JWT without the secret key?
Yes. The header and payload are Base64url encoded, not encrypted. Any tool can decode them without a secret. Only signature verification requires the secret key.
What does alg: none in a JWT mean?
An alg value of none means the token has no signature. Accepting such tokens without validation is a critical security flaw. Servers should explicitly reject tokens with alg set to none.