What parts of a JWT are decoded?

The tool decodes the header and payload JSON so you can inspect claims instantly.

Does HashyTools validate signatures?

No. Signature verification requires the signing key and is not performed by this tool.

Is the decode process private?

Yes. The token is parsed entirely in your browser; nothing is sent to a server.

Can I prettify nested JSON claims?

Decoded payloads are formatted automatically with indentation so complex claims stay readable.

Does the tool support encrypted JWEs?

No, it focuses on signed JWTs; encrypted JWE payloads require keys that the tool does not request.

JWT decoder (no network)

Paste a JSON Web Token to inspect the decoded header and payload locally. No signature verification is performed.

JWT token

Signature validation is not performed. Do not rely on decoded data without verifying the signature separately.

Header

Payload

JWT structure at a glance

JSON Web Tokens package authentication claims into a compact string separated by dots. Each segment is Base64URL encoded, which is why you can decode the header and payload without hitting external services.

Segment	Contains	Example claims	Security notes
Header	Algorithm (`alg`) and token type (`typ`).	`{"alg":"HS256","typ":"JWT"}`	Never accept `"alg":"none"` in production.
Payload	Claims about the subject, issuer, scopes.	`{"sub":"123","exp":1700000000}`	Visible to anyone with the token. Do not store secrets here.
Signature	HMAC or asymmetric signature over header+payload.	`HMACSHA256(base64Url(header).base64Url(payload), secret)`	Required to verify authenticity. This tool does not compute it.

Best practices when working with JWTs

Decoding claims is only the first step. Use these guidelines to keep tokens safe and your APIs predictable.

Always verify signatures

Decode to inspect, but never trust claims until you validate the signature with the issuer's secret or public key.

Enforce expiry and audiences

Reject expired tokens and ensure aud/iss claims match your application to prevent replay across services.

Avoid sensitive claims

Anyone who obtains the JWT can read payload data. Store secrets server-side or encrypt the token with JWE when necessary.

Quick question

Do you decode JWTs for debugging or to inspect claims in development? Use the decoder above to view header and payload.

JWT decoder FAQ

What are the three parts of a JWT?

A JWT contains a header, payload, and signature separated by dots. The header defines the algorithm, the payload carries claims, and the signature proves authenticity when verified with the correct key.

Does decoding a JWT verify its authenticity?

No. Decoding only reveals the Base64URL-encoded JSON. You must verify the signature before you trust any claim in the payload.

What risks exist when handling JWTs?

Tokens can leak sensitive information and be replayed if you skip expiration or revocation checks. Avoid logging JWTs and refuse tokens signed with weak secrets or the none algorithm.

Can I decode encrypted JWTs (JWEs) with this tool?

No. The decoder targets signed JWTs (JWS). Encrypted JWEs require the decryption key and algorithms that are outside the scope of this page.

Does the decoder upload my tokens?

No. HashyTools processes JWTs entirely on your device so your secrets and claims remain private.