Decode/Encode JWT
Decode JWT header and payload data or create unsigned example tokens from JSON input for debugging, education, and authentication troubleshooting.
Loading tool...
About Decode/Encode JWT
Encode and decode data free online with Decode/Encode JWT. Browser-based, no signup, no installation — instant results for security teams.
Decode/Encode JWT is a free browser-based utility for inspecting JSON Web Tokens and generating sample token structures from header and payload JSON. It is especially useful for developers, QA teams, API integrators, and security-minded operators who need a quick way to understand what a token contains during authentication debugging. Instead of manually splitting a token and base64-decoding it in a console, you can paste it into the tool and immediately see the decoded header and payload in readable JSON. JWTs are widely used in modern authentication and authorization flows because they can carry claims in a compact, URL-safe format. A typical token contains a header, payload, and signature. The header describes the algorithm, the payload contains claims such as `sub`, `exp`, or role information, and the signature is used to verify integrity. When debugging auth issues, developers often need to inspect only the readable parts first. That is exactly where a decoder becomes useful. The encode side of the tool is equally helpful in test environments. You can draft a header and payload JSON object and produce a structurally correct sample token for demos, QA, or educational purposes. It is important to remember that the generated token here uses a placeholder signature and is not a secure, signed production credential. This tool is for inspection and workflow assistance, not for issuing trusted authentication tokens. JWT debugging comes up often in API work, identity integrations, SSO troubleshooting, and local development. A simple token viewer can save time by revealing obvious issues such as missing claims, invalid JSON, wrong `alg` values, or malformed structure. Because everything happens in the browser, the tool is fast enough to use during everyday implementation work. Paste, inspect, and move on without opening external libraries or building throwaway scripts.
Key features
- JWT decode mode. Paste a token and inspect its header and payload immediately in readable JSON format.
- JWT encode mode. Build example token structures from header and payload JSON during development or testing.
- Helpful for auth debugging. Useful for identifying claim-level issues in APIs, frontend auth flows, and identity integrations.
- Copy-ready output. Move decoded header, payload, or generated token strings into docs, tickets, and test workflows quickly.
- Low-friction browser workflow. Avoid temporary scripts and inspect token contents directly during implementation work.
Common use cases
- Debugging an API authorization failure. Developers can inspect claims like `sub`, `aud`, roles, or expiration values to understand why access was denied.
- Teaching JWT structure. Teams and students can see the relationship between header, payload, and signature more clearly.
- Creating test tokens for QA. QA engineers can generate structurally correct sample tokens to test interfaces and token-handling flows.
- Inspecting third-party auth output. Integrators can quickly review whether an identity provider is returning the claims they expect.
How to use it
- Choose decode or encode mode — Start in the mode that matches whether you want to inspect an existing token or build a sample one.
- Paste a token or JSON input — Add the JWT string for decode mode or enter header and payload JSON for encode mode.
- Run the action — Decode the token or generate a sample JWT from the JSON you provided.
- Review the result — Inspect the decoded claims or the generated token structure carefully before using it in a workflow.
- Copy what you need — Move the header, payload, or token output into your tests, notes, or support conversation.
Examples
Decode a standard auth token
Input eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKx...
Output Readable JSON header and payload showing algorithm, subject, name, and issued-at claim values.
Generate a sample test token
Input Header JSON with `alg` and `typ`, plus payload JSON with `sub`, `role`, and `iat`
Output A structurally correct sample JWT with a placeholder signature for test and demo use.
Auth claim inspection
Input Token from a failing API request
Output Decoded claims that reveal missing roles or an expired timestamp during debugging.
Troubleshooting
The token will not decode
Cause The JWT may be malformed, missing sections, or not actually using the standard three-part structure.
Fix Confirm the token contains header, payload, and signature sections separated by periods, then retry with the full value.
The decoded claims look correct but the app still rejects the token
Cause Signature verification, audience checks, issuer validation, or expiration rules may still be failing on the server.
Fix Use the decoded output as a starting point, then verify signature and claim validation in the real auth stack.
The generated token does not work in my app
Cause The encode mode creates a sample structure, not a truly signed production token.
Fix Generate or sign real JWTs in your application or auth provider using the correct secret or key pair.
FAQ · 05
What parts of a JWT can this tool decode?
The tool decodes the readable header and payload portions of a token, which are base64url-encoded JSON sections. This is usually enough for debugging claims and token structure. The signature itself is not meaningfully 'decoded' into something human-readable because it is a cryptographic verification value.
Does decoding a JWT verify that it is valid?
No. Decoding only reveals the readable content inside the token. It does not prove that the signature is trustworthy, that the token is unexpired, or that it was issued by a trusted system. Validation requires proper signature verification and claim checks in the right environment.
Is the encoded token generated here production-safe?
No. The encode mode is useful for structure testing, examples, and debugging, but it uses a placeholder signature rather than a real signing secret or private key. It should not be used as an authentication credential in a production application.
Why is JWT useful in API debugging?
JWT payloads often contain clues about authentication and authorization issues, such as missing roles, wrong audiences, expired timestamps, or incorrect subjects. Decoding them quickly makes it easier to understand why an API or app is accepting or rejecting a request.
Can I safely paste real tokens into online tools?
You should always be cautious with real production tokens. Browser-based tools can still be convenient, but highly sensitive credentials should only be handled according to your security policies. Avoid exposing live privileged tokens unless you are fully comfortable with the environment and risk.
Working in security and networking? You may also need JavaScript Obfuscator, User Agent Finder or What Is My IP — part of our security and networking toolkit.
Blog Posts About This Tool
Learn when to use Decode/Encode JWT, common workflows, and related best practices from our blog.
How to Decode a JWT Safely (Without Sending It to a Server)
Decode a JWT to read its header and payload in seconds — and learn why decoding is not verifying, when it's safe to paste a token online, and how to do it in the browser.
Top Free Tools for Web Developers: Boost Your Productivity with Discover Web Tools
Top free web development tools in 2025: JSON formatters, regex testers, API clients, code minifiers, and more. All browser-based — no install, no signup.
Unveiling the Magic of Base64 Encoding: Simplifying Data Handling
What is Base64 encoding and how does it work? Learn the fundamentals, common use cases in web dev, and how to encode or decode data online for free.