How to Decode a JWT

June 11, 2026·4 min read

Decoding a JWT reveals what's inside it. Because the payload is only base64url-encoded (not encrypted), anyone can read it.

Decode online

The simplest way is the JWT decoder — paste the token and instantly see the decoded header and payload. It runs locally, so your token never leaves your browser.

Decode in JavaScript

A token is three dot-separated parts. Decode the middle (payload):

function decodeJwt(token) {
  const [header, payload] = token.split('.').slice(0, 2).map(seg => {
    const b64 = seg.replace(/-/g, '+').replace(/_/g, '/');
    return JSON.parse(atob(b64));
  });
  return { header, payload };
}

Decode on the command line

echo "<payload-segment>" | base64 --decode

(You'll need to add base64url padding back first.)

Decoding is NOT verifying

This is the critical point: decoding only reads the token — it does not check the signature. A decoded token could be forged or expired. To trust a token you must verify its signature against the secret or public key. See how to verify a JWT signature.

Try it

Use the JWT decoder to inspect a token, then the JWT validator to confirm its signature and expiry.

Got a config file to check?

Open the config toolkit →

Keep reading

Base64 URL-Safe Encoding Explained4 min read →Common Regex Patterns: Email, URL, Phone & More5 min read →