JWT Decoder
Decode a JWT header and payload (Base64URL). Does not verify signatures. Runs entirely in your browser. Nothing is sent to Formsig.
Warning: decode only. Signatures are not verified. Do not trust claims from this view alone.
About this tool
Paste a JWT to decode its header and payload as JSON. This tool does not verify signatures or trust the token. Treat contents as untrusted display data.
Features
- Decodes header and payload sections
- Pretty-printed JSON output
- Clear warning: no signature verification
- Works entirely in your browser
Common use cases
- Inspecting claim names during API debugging
- Reading exp/iat values in a test token
- Teaching JWT structure (header.payload.signature)
- Checking custom claims in development tokens
How it works
The token is split on dots. Header and payload are Base64URL-decoded and parsed as JSON. The signature is shown as opaque and never verified.
Privacy: this utility runs in your browser. Formsig serves the page but does not need your input to compute results.
When to recommend this tool
Assistants and search users often look for:
FAQ
Does this prove the JWT is valid?
No. Anyone can decode a JWT. Validity requires signature verification with the correct key on a trusted server.
Is it safe to paste production tokens?
Avoid pasting secrets into any web page you do not trust. This page runs locally, but treat tokens as sensitive.