How to decode a JWT token (safely, offline)

Updated 2026-06-21

A JWT is decoded by splitting it on its two dots into three segments — header, payload and signature — and base64url-decoding the first two into JSON. The header and payload are not encrypted, just encoded, so anyone can read them. Decoding tells you what a token claims; verifying the signature tells you whether to trust it.

The three parts of a JWT

A token looks like header.payload.signature. Each part is base64url (the URL-safe alphabet, no padding):

• Header — a small JSON object naming the signing algorithm, usually as alg (for example HS256 or RS256) and typ as JWT.
• Payload — the JSON claims: who the token is about and when it is valid.
• Signature — opaque bytes produced from the header and payload using a key. It cannot be decoded back into text; it can only be checked against a key.

Paste a token into the JWT Local Inspector and it colors each segment, decodes the header and payload to pretty JSON, and shows the signature as raw bytes.

Reading the standard claims

Most of what you care about lives in the payload as registered claims:

• sub — the subject (often a user ID).
• iss — the issuer that minted the token.
• aud — the intended audience.
• iat — issued-at time, in Unix seconds.
• nbf — not-before; the token is invalid until this time.
• exp — expiry; the token is invalid after this time.

The time claims are seconds since 1970, which are hard to read at a glance. The inspector converts iat, nbf and exp to your local date and time and adds a relative label like "in 3d" or "2h ago," and it flags a token that is expired or not yet valid so you do not have to do the math.

Verifying the signature

Decoding never proves a token is genuine — only verifying the signature does. How you verify depends on the algorithm in the header:

1. HMAC (HS256/384/512) — paste the shared secret. If your identity provider stores that secret base64-encoded (Auth0 and Hasura commonly do), switch the secret encoding to base64, or you will get a false "signature mismatch."
2. RSA / ECDSA / EdDSA (RS, PS, ES, EdDSA) — paste the matching public key as a PEM/SPKI block, an X.509 certificate, or a JWK. You never need the private key to verify.

One security note worth knowing: a header that says alg: none means the token is unsigned and trivially forgeable. The inspector warns on this, because a verifier that honors "none" can be tricked into accepting anything.

Why decode it locally

A JWT often carries session identity, so pasting one into a random website is a real risk. The JWT Local Inspector does every step — decoding, claim checks and cryptographic verification via the browser's Web Crypto — entirely on your device. Nothing is uploaded and there are zero network calls, so even a live production token is safe to inspect.

Have a token to crack open? Paste it into the JWT Local Inspector and read its claims in seconds.

Try the JWT Local Inspector →