Bearer prefix was pasted
Authorization headers include Bearer plus the token; decoding needs only the token.
Remove Bearer and paste the three-part JWT string.
JWT Decoder
☆ HotDecode JWT headers, payloads and claims locally for API debugging and login issue checks. Tokens stay in your browser and are not uploaded.
JWT Decoder overview
JWT Decoder parses JWT Header and Payload locally so you can inspect claims, iat, exp and permission fields during login debugging or API integration. It decodes only and does not verify signatures.
How to use JWT Decoder
- 1Paste the JWT into the token text area.
- 2Click Decode JWT to parse the Header and Payload locally.
- 3Review alg, typ and related fields in the Header panel.
- 4Review sub, iat, exp, scope or custom claims in the Payload panel.
Troubleshooting
Decode is confused with verification
Payload content can be forged until the signature is verified.
Use server-side verification with a secret or public key for security decisions.
Token is not three-part JWT
Opaque tokens, session IDs and encrypted JWE tokens cannot be viewed as normal JWTs.
Check whether it has header.payload.signature structure.
JWT decoding and signature verification compared
This tool decodes tokens locally. It does not validate signatures.
| Action | Needs key? | Confirms | Does not confirm |
|---|---|---|---|
| JWT decode | No | Header, Payload and claims content | Whether the token was tampered with |
| Signature verification | Secret or public key | The token matches its signature | Business authorization by itself |
| Expiration check | No | The exp value if present | Server clock and revocation rules |
| Permission check | Usually server-side | Role/scope in application context | Security from Payload alone |
JWT Decoder examples
JWT Payload inspection
JWT
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiI0MiIsInNjb3BlIjoicmVhZCJ9.xxx
Payload
{
"sub": "42",
"scope": "read"
}This page decodes Header and Payload; it does not verify signatures.
Use cases
Login debugging
Inspect sub, scope, iat and exp fields when login state behaves unexpectedly.
API integration
Confirm bearer tokens contain the expected role or permission claims.
Expiration checks
Find exp or iat fields to investigate session lifetime problems.
FAQ
Is my JWT uploaded?›
No. The token is decoded locally in your browser.
Is decoding the same as verification?›
No. Decoding only reads the encoded JSON. Signature verification requires a secret or public key.
Why does JWT decoding fail?›
The token may include a Bearer prefix, be incomplete, lack the normal three-part structure or contain extra whitespace.
Can I see whether a token is expired?›
If the payload includes exp, you can inspect that field. The page does not currently format exp as a date automatically.
Can I trust the decoded payload?›
Use it for inspection only. A payload is not trustworthy until the token signature is verified.
Do I need to sign in?›
No. The JWT decoder is free and requires no account.
Can this decode JWE encrypted tokens?›
No. JWE is encrypted and needs keys. This tool is for common JWT/JWS viewing.
Should I paste production tokens here?›
The tool does not upload them, but production tokens are still sensitive. Only inspect them when needed and avoid leaving results in the clipboard.