← All tools
Token tool - JWT Decoder

Decode JWT tokens safely

Inspect JWT header and payload locally. No token upload, no external API calls.

JWT token

Paste a JWT to decode its header and payload.

Decode only — no signature verificationThis tool reads the header and payload sections of a JWT. It does not validate the signature or expiry. All processing happens in your browser.

Decoded output

Paste a JWT token to see its contents.

Why this tool exists

Vultio JWT Decoder splits a JSON Web Token into its three parts and decodes the header and payload sections directly in your browser.

JWTs are base64url-encoded JSON objects. Decoding them reveals claims like user ID, roles, expiry time, and the signing algorithm — useful for debugging authentication flows without needing a backend.

Common use cases

  • Inspect JWT claims (sub, exp, iat, roles) returned by an auth server during development.
  • Quickly verify the algorithm field in the header before troubleshooting signature errors.
  • Decode a token from a failing API request to check expiry or missing claims.
  • Understand the structure of tokens issued by third-party OAuth providers.
  • Teach JWT format and structure in documentation or security training materials.

Example input / output

Minimal token

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkFsaWNlIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Output

// Header { "alg": "HS256", "typ": "JWT" } // Payload { "sub": "1234567890", "name": "Alice", "iat": 1516239022 }

Common errors

Invalid JWT: expected 3 parts separated by "." but got N.

Cause: The input is not a valid JWT. JWTs always have exactly three dot-separated segments.

Fix: Ensure you copied the complete token including all three parts. Check for accidental truncation or line breaks.

Failed to decode header: not valid base64url.

Cause: The first segment contains characters outside the base64url alphabet or is otherwise corrupted.

Fix: Double-check that you copied the full, unmodified token. Avoid URL-decoding the token before pasting it here.

Header decoded but is not valid JSON.

Cause: The decoded bytes are not a JSON object, which suggests the token is malformed or uses an unusual encoding.

Fix: Verify the token source. Standard JWTs always have JSON objects as header and payload.

Related guides

JWT Decoder Security Notes: Decode vs Verify

What JWT decoding shows, what it does not prove, and safe debugging practices.

Related tools

Base64 Encoder / Decoder

Encode text to Base64 or decode Base64 back to plain text, entirely in the browser.

JSON Formatter

Format raw JSON to make it easier to inspect.

Secret Generator

Generate passwords, API keys, and JWT secrets.

Frequently asked questions

Does JWT Decoder verify signatures?

No. This tool decodes JWT parts only and does not validate signatures.

Is my token sent anywhere?

No. The token is processed entirely in your browser.