Developer
6 min read
February 15, 2026

How to Decode a JWT Token Online for Free (Header, Payload & Signature)

Debugging an authentication issue and staring at a long jumbled string? Here's how to decode a JWT and see exactly what's inside, for free.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way of representing claims (like "this user is logged in as Alice") that can be verified and trusted because it's digitally signed. JWTs are everywhere in modern authentication — APIs, single sign-on, session tokens.

A JWT looks like three Base64URL-encoded segments separated by dots — a header, a payload, and a signature.

What's Inside Each Part

  • Header: Specifies the signing algorithm (e.g., HS256) and token type
  • Payload: Contains the actual claims — user ID, expiration time, roles, custom data
  • Signature: A cryptographic signature that lets the server verify the token hasn't been tampered with

    • How to Decode a JWT for Free

  • Open the JWT Decoder
  • Paste your JWT token
  • Instantly see the decoded header and payload as readable JSON, plus the raw signature
  • Copy any section with one click for further debugging

    • Why This Matters for Debugging

    When an API call fails with "unauthorized" or "token expired," decoding the JWT lets you immediately check: Is the expiration claim in the past? Does the subject/user ID match what you expect? Is the algorithm what your server expects?

    Frequently Asked Questions

    Does this tool verify the token's signature?

    No — it decodes and displays the header and payload for inspection. Verifying a signature requires the secret key or public certificate, which should never be entered into a third-party tool.

    Is it safe to paste my JWT here?

    Decoding happens entirely in your browser — the token is never transmitted to a server. That said, treat tokens like passwords and avoid pasting production tokens with sensitive claims into any tool unnecessarily.

    Why do I get a decode error?

    Make sure you've pasted the complete token, including all three dot-separated segments, with no extra whitespace or line breaks.

    Related Tools

    JWTs are Base64URL-encoded — learn more with the Base64 Encoder/Decoder, or generate test tokens and IDs with the UUID & Hash Generator.

    Written by the GMC Tools team

    Try These Tools

    JWT Decoder

    Decode JSON Web Tokens and inspect header & payload

    Try free

    Base64 Encoder/Decoder

    Encode text to Base64 or decode Base64 strings instantly

    Try free

    UUID & Hash Generator

    Generate UUIDs and MD5/SHA hashes instantly

    Try free

    More Articles

    QR Codes for Business: A Complete Guide to Creating and Using Them

    QR codes went from gimmick to essential business tool during COVID. Here's everything to use them effectively.

    How to Create Strong Passwords That Hackers Can't Crack

    '123456' is still the most common password in 2025. Here's the actual science of what makes passwords strong.

    JSON Explained: A Beginner's Guide to Understanding JSON Data

    JSON is the language the internet uses to pass data between apps. Six data types, two rules — then everything clicks.