snaptools
J
JWT Decoder
Secret
// about this tool

JWT Decoder Online

Updated 2026-07-09

Decode a JWT online to read its header and payload instantly, in your browser. Paste a JSON Web Token and SnapTools splits it into its three parts and pretty-prints the decoded header and claims — and if you paste the secret, it verifies the HS256/384/512 signature so you know the token is authentic. Nothing is uploaded; because a JWT is a credential, decoding happens entirely on your machine.

A JWT's header and payload are only Base64URL-encoded, not encrypted, so anyone can read them — which is exactly why a quick, private decoder is handy for debugging logins, checking a token's expiry, or learning how JWTs are put together. Just remember never to store secrets in a payload.

// how to use

  1. 1 Paste a JWT (the long header.payload.signature string) into the input panel.
  2. 2 SnapTools decodes and pretty-prints the header and payload so you can read the claims.
  3. 3 Optionally paste your secret to verify the HS256/384/512 signature and confirm the token is authentic.

// examples

Decoded header and payload
Input
eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIn0.signature
Output
header:  { "alg": "HS256", "typ": "JWT" }
payload: { "sub": "123", "name": "Ada", "iat": 1700000000 }

// common uses

Debugging authentication and login flows Inspecting claims and token expiry Verifying a token's signature Learning how JWTs are structured

// faq

No. The JWT is decoded entirely in your browser, so your token and its claims never leave your machine — important, because a JWT is a credential.
Decoding just reads the header and payload (they're only Base64-encoded, not encrypted). To confirm the token is authentic, paste the secret and the tool verifies the HS256/384/512 signature.
Yes — the header and payload are Base64URL-encoded, not encrypted. Never put secrets in a JWT payload; anyone holding the token can read it.
They're standard claims — iat is "issued at" and exp is "expires at", both Unix timestamps. The decoder shows them so you can check whether a token is expired.
Signature verification supports the HMAC family — HS256, HS384, and HS512 — using the secret you provide. Public-key (RS/ES) tokens are decoded read-only.

↳ Curious to go deeper? Read the How JWT authentication works guide →

Use this via API

Get a free API key →
curl -X POST https://snaptools.dev/api/v1/tools/jwt-decoder \
  -H "Authorization: Bearer YOUR_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoiQWRhIn0.signature"}'
Esc
↑↓ navigate open Esc close