See exactly what's inside a JWT.
Paste any JSON Web Token and inspect the header, claims, and expiry โ no secret needed to read it. Most of a JWT is plain text. This tool makes that visible.
Runs locally. Your token never leaves your browser. No server, no logging, no account.
header.payload.signature
Header
Algorithm & token type| Claim | Value | Meaning |
|---|
Payload
Claims & data| Claim | Value | Meaning |
|---|
Signature
Cannot be verified without the secretAlgorithm:
The signature proves this token was issued by someone who holds the secret key โ but verifying it requires that key. This tool decodes only. Signature verification belongs server-side, never in a browser.
A JWT is not a secret. The payload is just Base64.
Anyone can read it
A JWT has three parts separated by dots. The first two โ header and payload โ are Base64url encoded, not encrypted. Anyone who has the token can decode and read the claims inside without any key.
The signature is what matters
The third part is a cryptographic signature. It proves the token was issued by someone who holds the secret key and that the header and payload haven't been tampered with since. Without the key, you can read but not forge.
Don't put secrets in the payload
Because the payload is readable by anyone who intercepts the token, never include passwords, API keys, or sensitive personal data as JWT claims. The signature guarantees authenticity โ not confidentiality.