This tool decodes a JSON Web Token, or JWT, so you can read what is inside it, splitting it into its header and payload and showing the claims in readable form. JSON Web Tokens are the standard way modern web applications carry identity and authorisation information between a server and a client. After you log in, the server often issues a JWT that your browser sends back with each request to prove who you are. A token is three parts separated by dots: a header describing the algorithm, a payload containing the claims such as the user ID and an expiry time, and a signature that lets the server confirm the token has not been tampered with. The header and payload are simply Base64url-encoded JSON, not encrypted, so anyone can read them, which is exactly what this tool does. You paste a token, and the calculator decodes the header and payload and displays the JSON neatly, so you can inspect the claims, check the expiry, or debug an authentication problem. Everything runs in your browser and nothing is uploaded, which matters because tokens often grant access and should not be shared. The result updates as you paste. Use it to debug login and API issues, to read the claims a token carries, or to learn how JWTs are structured. Two important points: this tool decodes but does not verify the signature, since that requires the secret or public key held by the server, so a decoded token is not a validated one. And because the payload is only encoded, never put secrets in a JWT, as anyone holding the token can read them.
Decodes the header and payload only. The signature is NOT verified, so a decoded token is not validated. Never put secrets in a JWT; the payload is readable by anyone.
The token is split at its two dots into three parts. The first two, the header and payload, are Base64url-encoded JSON. The decoder converts each from Base64url back to text and formats the resulting JSON. The third part, the signature, is left alone, since verifying it requires the server's secret or public key.
Pasting a standard example token decodes the header to show the algorithm HS256 and type JWT, and the payload to show claims like the subject 1234567890, the name John Doe and an issued-at timestamp. The signature is shown as present but not checked, since verification needs the signing key the server holds.
If you've found a bug, or would like to contact us, or learn more about James Graham and Calculate.co.nz.
Calculate.co.nz is partnered with Interest.co.nz for New Zealand's highest quality calculators and financial analysis.
All calculators and tools are provided for educational and indicative purposes only and do not constitute financial advice.
Calculate.co.nz is proudly part of the Realtor.co.nz group, New Zealand's leading property transaction literacy platform, helping Kiwis understand the home buying and selling process from start to finish. Whether you're a first home buyer navigating your first property purchase, an investor evaluating your next acquisition, or a homeowner planning to sell, Realtor.co.nz provides clear, independent, and trustworthy guidance on every step of the New Zealand property transaction journey.
Calculate.co.nz is also partnered with Health Based Building and Premium Homes to promote informed choices that lead to better long-term outcomes for Kiwi households.
Calculate.co.nz is hosted in Auckland via SiteHost new Zealand.
All content on this website, including calculators, tools, source code, and design, is protected under the Copyright Act 1994 (New Zealand). No part of this site may be reproduced, copied, distributed, stored, or used in any form without prior written permission from the owner.
© 2019 to 2026 Calculate.co.nz. All rights reserved.