MicaraTools

JWT Decoder

Decode a JWT’s header & payload.

  • 100% free
  • No sign-up
  • Private — runs in your browser
  • Instant results

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and passing claims between services. It has three parts separated by dots: a header (the algorithm and type), a payload (the claims — user id, expiry, etc.), and a signature. The header and payload are just Base64URL-encoded JSON, so this tool can decode and pretty-print them instantly.

Decoding ≠ verifying

This tool decodes the token to show what's inside, but it does not verify the signature — that requires the server's secret or public key. So treat the contents as "what the token claims," not "what's proven true."

Security note

Because anyone can read a JWT's payload (it isn't encrypted), never put passwords or secrets in it. Decoding here happens entirely in your browser — your token isn't sent anywhere. Still, don't paste live production tokens into any online tool you don't control.

FAQ

Is this JWT decoder free to use?

Yes, it's completely free with no sign-up and no limit on how many tokens you can decode.

Is my token sent to a server?

No. The token is Base64URL-decoded entirely in your browser using client-side JavaScript, so nothing is transmitted or logged. That said, avoid pasting live production tokens into any tool you don't fully control.

Can it verify the token's signature?

No. This tool only decodes the header and payload to show their contents. Verifying the signature requires the issuer's secret or public key, which should stay on your server and never be entered into an online tool.

How do I read the exp and iat claims?

The exp (expiration) and iat (issued-at) claims are Unix timestamps, the number of seconds since January 1, 1970 UTC. A token is expired when the current time is past its exp value; convert the number to a date to check.

What does an "invalid token" error mean?

It usually means the string isn't a well-formed JWT — most often a missing part (a valid token has three dot-separated sections) or extra whitespace copied along with the token. Paste only the token itself, with nothing before or after it.

Does it work on mobile?

Yes. The decoder is responsive and runs in any modern mobile browser, so you can inspect a token's claims on a phone or tablet.

Related tools