Inspect the contents of a JSON Web Token (JWT) without verifying its cryptographic signature — useful for debugging, not for trust decisions.
Token structure
A JWT is three Base64URL-encoded segments separated by dots:
- Header — typically
{"alg":"HS256","typ":"JWT"}declaring algorithm and type. - Payload — claims such as
sub,exp,iat,aud, and custom application fields. - Signature — HMAC or asymmetric proof over
header.payload.
This tool decodes the first two parts into indented JSON. The signature segment is shown but not validated.
When to use it
Read expiration (exp) during API development, confirm scopes in an OAuth access token, or explain JWT anatomy in security training.
Limitations
Decoding is not authentication. Anyone can forge a payload; only signature verification with the issuer’s secret or public key proves integrity. Base64URL padding quirks and binary claims may display imperfectly. Tokens pasted into the page stay local but should still be treated as secrets if live.