Can I decode a JWT without the secret?

Yes. The header and payload are only Base64URL-encoded, so they can always be read without any key. The secret is only needed to verify the signature, not to decode the contents.

Is it safe to paste a JWT into an online decoder?

With programmes.net it is decoded entirely in your browser — the token is never sent to a server. Still, treat real tokens carefully, since a valid token grants access until it expires.

Answer

How to decode a JWT token

Decode and inspect a JWT — header, payload, and claims — instantly in your browser. Nothing is uploaded.

A JWT is three Base64URL parts joined by dots: header.payload.signature. To decode it, paste the token into a JWT decoder, which Base64URL-decodes the header and payload into readable JSON. Decoding does not require the secret — the header and payload are not encrypted, only encoded.

Input

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0In0.<signature>

Output

header: {"alg":"HS256","typ":"JWT"}   payload: {"sub":"1234"}

Anyone can read a JWT’s header and payload — never put secrets in them.

Open the JWT Decoder → Free · runs in your browser · nothing uploaded

Steps

Open the JWT tool and paste the full token (header.payload.signature) into the input.
Read the decoded header and payload, shown as formatted JSON.
Inspect standard claims such as exp (expiry), iat (issued-at), iss, and sub.
To verify the signature, provide the secret or public key — decoding alone does not prove authenticity.

Frequently asked questions

Can I decode a JWT without the secret?: Yes. The header and payload are only Base64URL-encoded, so they can always be read without any key. The secret is only needed to verify the signature, not to decode the contents.
Is it safe to paste a JWT into an online decoder?: With programmes.net it is decoded entirely in your browser — the token is never sent to a server. Still, treat real tokens carefully, since a valid token grants access until it expires.

← All answers