KitMul MarkKitMul Text

JWT Payload & Header Decoder

Visualize and inspect the header and payload of your JSON Web Tokens instantly.

The JWT Decoder lets you paste any JSON Web Token and instantly visualize its header (algorithm, token type) and payload (claims, expiration, issuer) in a readable, structured format. The decoding runs entirely in your browser — your sensitive tokens are never sent to any server. Search through claims, copy decoded data, and understand token structure for debugging authentication flows in web and mobile applications.

Your data stays in your browser
Was this tool useful?
Tutorial

How to Decode a JWT

1
1

Paste Your Token

Copy the JWT string from your request headers, cookies, or authentication response and paste it into the input field above.

2
2

Inspect the Decoded Output

The tool instantly splits and decodes the header and payload sections, displaying the algorithm, claims, and expiration in readable JSON.

3
3

Search and Copy Claims

Use the search bar to find specific claims in large payloads. Copy individual sections or the full decoded output with one click.

Guide

Complete Guide to JSON Web Tokens

What Is a JSON Web Token (JWT)?

A JSON Web Token (JWT, pronounced 'jot') is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three Base64Url-encoded parts separated by dots: the Header (specifying the algorithm and token type), the Payload (containing claims like user ID, email, roles, and expiration time), and the Signature (used to verify the token has not been tampered with). JWTs are the standard for authentication in modern web applications, APIs, and microservices architectures.

Why JWT Decoding Matters for Developers

Developers frequently need to inspect JWTs during authentication debugging, API integration, and security auditing. Understanding what claims a token contains — who issued it (iss), when it expires (exp), what permissions it grants (scope or roles) — is essential for troubleshooting login failures, permission errors, and token refresh issues. A JWT decoder transforms the opaque Base64 string into human-readable JSON, making these details instantly visible without writing custom code.

Key JWT Concepts

Registered claims are standardized fields: iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), jti (unique ID). Custom claims carry application-specific data like user roles or permissions. The header specifies the signing algorithm — commonly HS256 (HMAC-SHA256) for symmetric signing or RS256 (RSA-SHA256) for asymmetric signing. Important: decoding reveals the payload, but only signature verification (requiring the secret key) confirms the token is authentic and unmodified.

Best Practices for JWT Security

Never store JWTs in localStorage — use httpOnly cookies to prevent XSS attacks. Set short expiration times (15-60 minutes) and use refresh tokens for longer sessions. Always validate the signature server-side before trusting claims. Do not put sensitive data in the payload — JWTs are encoded, not encrypted, meaning anyone can read the payload. Use HTTPS exclusively to prevent token interception. Rotate signing keys periodically. When debugging with this tool, remember that decoding is not verification — always verify signatures in production.

Sources

Examples

Worked Examples

Example: Debugging an Expired Token

Given: A user reports they cannot access the API despite being logged in.

1

Step 1: Copy the JWT from the user's request headers.

2

Step 2: Paste it into the decoder to view the payload.

3

Step 3: Check the 'exp' (expiration) claim — it shows a Unix timestamp that has already passed.

4

Step 4: The token expired and the refresh mechanism failed.

Result: The issue is an expired token. Fix the refresh token flow to automatically renew tokens before expiration.

Example: Verifying Token Claims

Given: An API returns 403 Forbidden for a user who should have admin access.

1

Step 1: Decode the user's JWT.

2

Step 2: Check the 'roles' claim in the payload — it shows ['user'] but not ['admin'].

3

Step 3: The user's role was not updated in the identity provider after promotion.

Result: Update the user's role in the identity provider and have them re-authenticate to receive a new token with admin claims.

Use Cases

Use Cases

Debug Authentication Failures

When users report login issues or 401 errors, paste their JWT to check if the token is expired, has incorrect audience claims, or is missing required scopes. This quickly narrows down whether the problem is in token generation or validation.

Verify API Integration Claims

During API development, decode tokens received from identity providers like Auth0, Firebase, or Okta to verify that custom claims such as roles, permissions, and tenant IDs are correctly propagated through your authentication flow.

Audit Token Security Practices

Security teams can inspect JWTs to verify that sensitive data is not stored in payloads, that appropriate signing algorithms are used instead of 'none', and that token expiration times follow organizational security policies and compliance requirements.

Frequently Asked Questions

?What does a JWT decoder do?

A JWT decoder extracts and displays the header and payload data encoded in a JSON Web Token. It reveals the algorithm, token type, claims, expiration time, and other metadata without needing a secret key.

?Is it safe to decode JWTs online?

Yes, this tool decodes JWTs entirely in your browser using JavaScript. Your token is never sent to any server, guaranteeing 100% privacy. However, avoid sharing decoded tokens containing sensitive claims.

?Does this tool verify JWT signatures?

No, this tool only decodes the header and payload. It does not verify the cryptographic signature. For signature verification, you need the secret or public key and a server-side library.

?What are the three parts of a JWT?

A JWT consists of three Base64Url-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims and data), and the Signature (used for verification).

?Can I decode expired JWT tokens?

Yes, the decoder works on any valid JWT format regardless of whether the token has expired. You can inspect the 'exp' claim in the payload to see the exact expiration timestamp.

?What JWT claims can I see?

You can see all standard claims like iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before), as well as any custom claims added by the token issuer.

?How do I use this JWT decoder?

Simply paste your JWT string (in the format header.payload.signature) into the input field. The tool instantly decodes and displays both the header and payload sections in a readable format.

Help us improve

How do you like this tool?

Every tool on Kitmul is built from real user requests. Your rating and suggestions help us fix bugs, add missing features and build the tools you actually need.

Rate this tool

Tap a star to tell us how useful this tool was for you.

Suggest an improvement or report a bug

Missing a feature? Found a bug? Have an idea? Tell us and we'll look into it.

Related Tools

Abstract Syntax Tree (AST) Visualizer

Visualize the structure of your JavaScript code with a detailed AST tree.

Try Tool

Big Data Text Visualizer

Efficiently visualize and search through extremely large text files using buffering and infinite scroll.

Try Tool

Compare Big O Complexity Curves

Visualize and compare Big O complexity curves from O(1) to O(n!) on an interactive chart.

Try Tool
Recommended Reading

Recommended Books on Web Security & Authentication

OAuth 2 in Action

OAuth 2 in Action

Justin Richer

The Web Application Hacker's Handbook

The Web Application Hacker's Handbook

Dafydd Stuttard

Identity and Data Security for Web Development

Identity and Data Security for Web Development

Jonathan LeBlanc

As an Amazon Associate we earn from qualifying purchases.

Boost Your Capabilities

Professional Products to Boost Your Development Setup

Q1 Pro Wireless Custom Mechanical Keyboard, QMK/VIA Programmable Full Aluminum 75% Layout Bluetooth/Wired RGB with Hot-swappable

Q1 Pro Wireless Custom Mechanical Keyboard, QMK/VIA Programmable Full Aluminum 75% Layout Bluetooth/Wired RGB with Hot-swappable

Keychron

27UP850K-W 27-inch Ultrafine 4K UHD (3840 x 2160) IPS Computer Monitor, 60Hz, 5ms, DisplayHDR 400, Built-in Speaker

27UP850K-W 27-inch Ultrafine 4K UHD (3840 x 2160) IPS Computer Monitor, 60Hz, 5ms, DisplayHDR 400, Built-in Speaker

LG

MX Master 3S - Wireless Performance Mouse with Ultra-Fast Scrolling, Ergo, 8K DPI, Track on Glass, Quiet Clicks, USB-C

MX Master 3S - Wireless Performance Mouse with Ultra-Fast Scrolling, Ergo, 8K DPI, Track on Glass, Quiet Clicks, USB-C

Logitech

As an Amazon Associate we earn from qualifying purchases.

Newsletter

Get Free Productivity Tips & New Tools First

Join makers and developers who care about privacy. Every issue: new tool drops, productivity hacks, and insider updates — no spam, ever.

Priority access to new tools
Unsubscribe anytime, no questions asked