Developer

How to Decode a JWT Token

4 min read Updated 30 June 2026

You have a JSON Web Token in front of you — maybe from an API response, an Authorization header, or a login flow — and you need to see what is actually inside it. Is the token expired? Which user does it belong to? What scopes does it carry? To answer any of that you have to decode jwt contents, because the token looks like one long, unreadable string of dots and gibberish.

This guide shows you how to do it in seconds with the Tooldrop JWT Decoder. You paste the token, and it instantly splits it apart and pretty-prints the header and payload as readable JSON. It is free, needs no sign-up, has no limits, and runs entirely in your browser — so even a sensitive production token stays on your machine.

Step by step

  1. 1Open the JWT Decoder at /dev/jwt-decoder. There is nothing to install and no account to create — the page is ready the moment it loads.
  2. 2Copy your token from wherever it lives (an Authorization: Bearer header, an API response, your browser's dev tools, or a cookie). A JWT has three sections separated by dots: header.payload.signature.
  3. 3Paste the token into the large "Token" text box. You do not click a decode button — the tool reads it the instant you paste, so the results appear right away.
  4. 4Read the Header panel to see the algorithm and token type (for example alg and typ), pretty-printed as formatted JSON.
  5. 5Read the Payload panel to see the claims — things like the subject (sub), issuer (iss), expiry (exp), and any custom fields. This is usually the part you came for.
  6. 6Check the Signature panel. The decoder displays the raw signature but does not verify it, because verification needs a secret or key the tool never sees — so no key is ever required to read a token.
  7. 7Use the "Copy header" or "Copy payload" buttons to grab the formatted JSON for a bug report, a ticket, or your notes. If the token is malformed, you will get a plain-English message telling you exactly what is wrong.
Try it now — it's free
Runs in your browser. No upload, no sign-up.
Open JWT Decoder

When and why you'd decode a JWT

Decoding a token is a daily reality for anyone who works with authenticated APIs. The most common reason is debugging: a request is being rejected and you want to confirm the token has the right user, the right scopes, and an expiry that is still in the future. The exp claim is in Unix time, so decoding lets you actually read it instead of guessing.

It is also useful for learning and integration work. If you are wiring up a new identity provider or single sign-on flow, decoding the tokens it issues tells you exactly which claims are present and how they are named — far faster than reading the spec and hoping the provider followed it. And during a code review or incident, pasting a captured token quickly answers "whose token is this and what could it do?"

Is it safe and private?

Yes. The JWT Decoder does all of its work in your browser using your device's own JavaScript. Your token is never sent to Tooldrop or any server — there is no upload step at all. When you close or refresh the tab, the token is gone with it.

That matters because JWTs are often sensitive. A valid token can frequently be replayed to impersonate a user until it expires, so pasting one into a random online decoder that ships it off to a backend is a real risk. Because this tool keeps everything local, you can safely inspect production and staging tokens. As a habit, still avoid pasting tokens into shared screens or chat logs, and treat any live token like a password.

What it does and doesn't do

The decoder splits your token on its dots and base64url-decodes the header and payload, then formats them as clean, indented JSON so they are easy to scan. The signature segment is shown exactly as it appears in the token.

What it deliberately does not do is verify the signature. Verification proves a token was issued by a trusted party and hasn't been tampered with, and that requires the issuer's secret or public key — something a viewer should never ask you to hand over. So "decoded" here means "made readable," not "proven authentic." Reading a payload tells you what a token claims; it does not prove the token is genuine. Never trust the contents of a decoded token for a security decision in your own code without verifying the signature there.

Tips and common problems

Paste the whole token and nothing else. The most frequent error is leaving the word "Bearer" (and its space) at the front when copying from an Authorization header — strip that off so the string starts with the header segment. Stray quotes, trailing commas, or line breaks copied from JSON can cause the same problem.

If you see a message about needing three parts separated by dots, you have probably grabbed only part of the token or an extra fragment. If you see a base64url, UTF-8, or JSON error, the token is truncated or corrupted in transit — re-copy it from the source. And remember the payload is just data: a far-future or already-passed exp is normal to see, and the decoder will happily show you an expired token because reading and validating are two different jobs.

Frequently asked questions

Do I need a secret or key to decode a JWT here?
No. Decoding only reads the header and payload, which are base64url-encoded plain JSON — no key is needed. A secret or key is only required to verify the signature, which this tool intentionally does not do.
Is my token uploaded anywhere?
No. The decoding happens locally in your browser using your device's own JavaScript. Your token is never sent to a server, and it's gone as soon as you close or refresh the tab, so it's safe to inspect sensitive tokens.
Does the tool check whether my token is valid or expired?
It shows you the data you need to judge that, but it does not enforce it. You'll see the expiry (exp) claim and the signature in the output, but the tool does not verify the signature or reject expired tokens — reading a token and validating it are separate steps.
Why am I getting an error when I paste my token?
A JWT must be three sections separated by dots. The usual cause is copying extra text — most often the leading "Bearer " from an Authorization header — or grabbing a truncated token. Re-copy just the token itself and paste it again.

Tools used in this guide

Related guides