TetraKitsJWT Decoder
Paste a JSON Web Token to decode the header and payload sections as formatted JSON — inspect claims, expiration, and issuer without sending the token to any server.
Read: JWT Decoder Guide: Read Token Header & Payload →
- Free to Use
- No Signup
- Privacy Friendly
How to decode a JWT
- 1
Paste the token
Copy the full JWT from your browser, API response, or Authorization header — three dot-separated parts.
- 2
Read header and payload
The tool Base64-decodes the header and payload into formatted JSON automatically.
- 3
Check claims
Look for exp (expiration), iss (issuer), sub (subject), and custom claims in the payload.
JWT structure
A JWT has three Base64url-encoded parts separated by dots:
- Header — algorithm (alg) and token type (typ)
- Payload — claims like sub, exp, iat, and custom fields
- Signature — verifies integrity (not validated by this decoder)
Warning: Decoding does not verify the signature. Never trust unverified JWT contents for authorization.
Why Use This Tool?
Instant Decode
Header and payload appear as formatted JSON on paste.
Claim Inspection
Read exp, iss, aud, and custom claims at a glance.
OAuth Debugging
Debug login flows and API tokens on any device.
No Upload
Tokens are decoded locally — never sent to a server.
Frequently Asked Questions
Does this verify JWT signatures?
No. This decoder only reads header and payload. Signature verification requires the secret or public key.
Why is my token invalid?
JWTs must have exactly three Base64url parts. Check for truncation or extra whitespace.
Can I decode expired tokens?
Yes. Decoding works regardless of expiration — check the exp claim in the payload.
Is decoding a JWT secure?
JWT payloads are not encrypted — anyone with the token can decode them. Do not put secrets in payloads.
Is this JWT decoder free?
Yes. Unlimited decoding with no signup; tokens stay on your device.
JWT Inspection Without jwt.io Uploads
OAuth flows, API debugging, and session troubleshooting all require reading JWT claims — but pasting production tokens into third-party sites is a security risk. This browser decoder parses header and payload locally without uploading your token.
