JWT Decoder
Decode JWT tokens to inspect header and payload claims.
- On your device
- No signup
Private on your device
Your information stays on your device and is not uploaded.
Decode JWT tokens to inspect header and payload claims.
Encode and sign JWTs with HS256 on your device.
Generate sample JWTs with common claims.
Format, minify, and validate JSON with optional key sorting.
Compare two JSON documents and list structural differences.
Format, minify, and validate XML with readable indentation.
Compare two XML documents and list structural differences.
Encode and decode text with Base64.
A JWT decoder reads the header and payload of a JSON Web Token without verifying signatures. Useful for debugging auth tokens locally—never paste production secrets into untrusted sites.
This JWT token decoder online parses JSON Web Tokens into readable header and payload JSON. Paste a JWT from OAuth, API gateways, or Auth0 to inspect claims, expiry, and issuer—decode only; signature verification is separate.
Decoding does not validate signatures—a tampered token still decodes. Always verify signatures in your own app before trusting a token.
Never paste production tokens with live privileges into untrusted websites; Utilnivo runs decode locally in the browser.
Paste the JWT string (three dot-separated parts), view decoded header and payload JSON, and check expiration timestamps.
Example: decode an access token to see `exp` (expiry) and `sub` (subject) before tracing a 401 Unauthorized in your API logs.
Paste a JWT (optionally with a Bearer prefix). The tool splits header, payload, and signature, Base64URL-decodes the first two segments, and pretty-prints them as JSON. Common time claims (iat, nbf, exp) are shown as timestamps. Signatures are displayed but not verified.
Decoding a JWT does not verify its signature or prove the token is valid, trusted, or unexpired. Do not paste production secrets into untrusted tools.
Your data stays on your device and is not uploaded.
These pages use the same jwt decoder with guides tailored to specific search intents.
FAQ
No. It only Base64URL-decodes header and payload. Verify signatures with your library and secret/key.
Standard decode works on your device on Utilnivo.
Standard JWTs have header.payload.signature. Some opaque tokens are not JWTs and will not decode.
Page last reviewed: