JWTs look like three blocks of random characters joined by dots. But the middle section — the payload — is just JSON encoded in Base64url. You don't need the signing key to read it; you only need the key to verify it hasn't been tampered with. Decoding the payload is a read-only operation anyone can do.

When you're debugging auth flows, checking token expiry, or verifying what claims a service is sending, decoding the payload is the fastest way to get that information.

What's Inside a JWT

A JWT has three sections separated by dots:

HEADER.PAYLOAD.SIGNATURE

The header contains the token type and signing algorithm. The payload contains the claims as Base64url-encoded JSON. The signature verifies the token's authenticity — but it's not needed to read the payload.

Decoding the Payload with TextForge

TextForge is a Chrome extension with 50+ text utilities. Base64 decode is in the free version and runs entirely locally — nothing is transmitted.

  1. 1
    Copy the full JWT
    Get the token from DevTools (Network tab → Authorization header, minus the "Bearer " prefix), your API client, or an environment variable.
  2. 2
    Extract the payload section
    The JWT has three sections divided by dots. Copy only the second section — everything between the first and second dots.
  3. 3
    Open TextForge
    Click the TextForge icon in your browser toolbar to open the extension.
  4. 4
    Paste and apply Base64 Decode
    Paste the payload section into the input area and select Base64 Decode from the tools menu.
  5. 5
    Read the claims
    The decoded JSON appears immediately. You'll see the user ID, expiry timestamp, roles, and any other claims the token carries.

What the Decoded Payload Looks Like

{"sub":"user_123","email":"user@example.com","role":"admin","exp":1762000000,"iat":1750000000,"aud":"api.example.com"}

Key claims to check: exp is a Unix timestamp — if it's in the past, the token is expired. sub identifies the user. aud tells you which service the token was issued for. If a request is getting rejected with a 401, these three fields usually tell you why.

Why Not Use jwt.io?

jwt.io is convenient and the standard go-to. But it sends your token to a server for decoding. For tokens that contain real user IDs, email addresses, or internal scope claims, it's a habit worth reconsidering — especially when debugging production issues where tokens contain live data.

TextForge decodes in your browser's local extension context. The token never leaves your machine.

Frequently Asked Questions

Can I decode the JWT signature this way?

The signature is also Base64url-encoded, but decoding it gives you raw binary — not readable content. The payload (second section) is what contains the claims you want to inspect.

Does TextForge verify the JWT signature?

No. TextForge decodes the payload for inspection only. Signature verification requires the secret or public key and is handled server-side. For debugging purposes, reading the claims is all you typically need.

Does this work offline?

Yes. Base64 decode runs locally in the extension. No internet connection is required.

Related guides
Base64 Encode and Decode Online — No Upload, No Command Line Full guide to Base64 encode and decode workflows in the browser How to Base64 Encode Kubernetes Secrets Without a Web Tool Encode secret values for YAML manifests locally

TextForge is free. Base64 decode — and 50+ other text utilities — are available without an account or subscription.

Install TextForge — free