JWT Decoder (Header + Payload)

Decode JWT header and payload Base64url segments visually

Paste a JSON Web Token to split it at the dots and Base64url-decode the header and payload into readable JSON. Shows the algorithm, type, and standard claims like exp and iat with human-readable times. Runs in your browser. It runs free in your browser on Gera Tools, with nothing uploaded.

Last updated Source: Gera Tools

What are the three parts of a JWT?

A JWT is three Base64url segments joined by dots: a header, a payload, and a signature. The header names the signing algorithm, the payload holds the claims (the data), and the signature lets the recipient verify the token was not altered.

A JSON Web Token (JWT) carries signed claims as three Base64url segments separated by dots: header.payload.signature. The header and payload are only encoded, not encrypted — anyone with the token can read them. This tool splits a token and decodes the header and payload into readable, pretty-printed JSON, directly in your browser. It does not verify the signature.

Structure of a JWT

Every JWT has exactly three dot-separated segments:

eyJhbGciOiJIUzI1NiJ9  .  eyJzdWIiOiIxMjMifQ  .  SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
      header                    payload                       signature
  • Header — a JSON object naming the signing algorithm and token type, for example {"alg":"HS256","typ":"JWT"}.
  • Payload — a JSON object containing claims: facts about the subject and instructions for the recipient.
  • Signature — raw cryptographic bytes produced by signing base64url(header) + "." + base64url(payload) with a secret or private key.

How decoding works

  1. The token is split on . into three segments.
  2. The header and payload are Base64url-decoded: the URL-safe characters - and _ are mapped back to + and /, any missing padding is restored, and the resulting bytes are UTF-8 decoded and parsed as JSON.
  3. Standard time claims — iat (issued-at), nbf (not-before), and exp (expiry) — are Unix timestamps in seconds and are converted to readable UTC dates.
  4. If the current time is past exp, the token is flagged as expired.
  5. The signature is shown as its raw Base64url string — it contains binary data, not text, so it cannot be meaningfully decoded to JSON.

Reading the common claims

ClaimMeaning
algSigning algorithm — in the header (e.g. HS256, RS256)
subSubject — the user or entity the token represents
issIssuer — the service that created the token
audAudience — which service(s) should accept this token
iatIssued at — when the token was created (Unix seconds)
nbfNot before — token is invalid before this time
expExpiry — token must be rejected after this time

Worked example

The token eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE3MDAwMDAwMDB9.sig decodes to:

  • Header: {"alg":"HS256"}
  • Payload: {"sub":"123","exp":1700000000} — expiry shown as 2023-11-14 22:13:20 UTC

If that expiry is in the past, the tool shows it as expired.

Security reminders

Because anyone can decode a JWT, never put secrets, passwords, or sensitive personal data in the payload — it is readable by any party that intercepts the token. The signature only proves the payload has not been tampered with; it does not hide the contents. Always verify the signature server-side using your signing key before trusting any claim for authentication or authorization. The algorithm in the header should be validated against an explicit allow-list — reject alg: none outright.