Tools you might need next
Encode text to Base64 online with full Unicode support. Convert strings for APIs, data URLs, email attachments, and safe binary-to-text transport.
Decode Base64 to text. Supports Unicode. For APIs and data decoding. Free developer utility that runs locally in your browser — fast, private, and no server
Encode text for URLs. Percent encoding. For query strings and links. Free developer utility that runs locally in your browser — fast, private, and no server
A JSON Web Token has three Base64URL-encoded parts separated by dots: Header (algorithm, type), Payload (claims), and Signature. Decoding reads Header and Payload without verification.
JWT = Base64URL(Header) . Base64URL(Payload) . Signature; Header: {alg, typ}; Payload: {iss, sub, exp, iat, ...}The signature ensures token integrity. For HMAC (HS256), it uses a shared secret. For RSA (RS256), it uses a private key for signing and public key for verification. Never trust payload data without verifying the signature.
Updated: July 2026
Paste a JWT to check its expiration time and claims without verifying signature.
→ Header: {alg: HS256}, Payload: {sub: "1234567890", exp: 2021-03-20T...} — EXPIRED
Verify that a third-party JWT has the expected issuer (iss) and audience (aud) claims.
→ Claims decoded: iss: "auth.example.com", aud: "api.myapp.com"
Anyone can create a JWT with arbitrary claims. Always verify the signature server-side using the appropriate key before trusting any claim values.
JWT payload is Base64-encoded, NOT encrypted. Anyone with the token can decode and read all claims. Never put passwords, credit card numbers, or secrets in JWT claims.
Decode and inspect JWT headers, payloads, and signatures in detail. Analyze claims, expiration, and algorithm metadata without sending tokens to a server. It applies the jwt structure (JWT = Base64URL(Header) . Base64URL(Payload) . Signature; Header: {alg, typ}; Payload: {iss, sub, exp, iat, ...}). For example: decode and inspect an expired token — Paste a JWT to check its expiration time and claims without verifying signature.