JWT Decode (Header/Payload)

Decoding a JWT doesn’t verify it. Always validate signature, issuer, audience, and expiry on the server.

About JWT

This tool decodes the Base64URL-encoded header and payload. It does not verify the signature. Always validate tokens server-side.

JWT decode online  header/payload only (no verification, no upload)

FAQs

Does decoding verify a JWT?
No. Decoding only reveals header/payload. Verification requires checking signature, issuer, audience, and expiry.
What is Base64URL?
A URL-safe Base64 variant used by JWT (characters '-' and '_' instead of '+' and '/').
Does this tool upload my token?
No. Decoding happens locally in your browser; tokens are not sent anywhere.

Related tools

JWT decoding and security FAQs

FAQs

Is Base64 decoding validating JWT?
No. Decoding reveals claims but does not verify signature or trustworthiness.
What algorithms are safe?
Use RS256/ES256/EdDSA. Never accept 'none'. Validate 'aud', 'iss', 'exp'.

Related tools