JWT Decoder

Decode and inspect JWT headers & payloads locally.

Paste any JSON Web Token to see its header, payload, expiry, and signature — entirely in your browser. Unlike popular JWT websites, your tokens never leave your machine, so it's safe to inspect production auth tokens.

Category: Developer & Data
Privacy: Runs in your browser
Uploads: No server upload
Access: Free, no signup

JWT

100% Private. Processed locally on your device. Your data never touches a server.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "Ada Lovelace",
  "iat": 1700000000
}

Signature

s8h5_vJqgF1lY4mZ1Yj1rsVoVbU8aoP7CqJh3z3hY8I

How to use

1Paste the full JWT (three Base64 segments separated by dots).
2Inspect the decoded header, claims payload, and signature.
3Check the `exp` claim against the current time to spot expired tokens.

Popular use cases

→Debug auth issues by inspecting the `sub`, `iss`, and `aud` claims.
→Verify token expiry without firing a request to your API.
→Check that custom claims are being set correctly by your auth provider.

Frequently asked questions

Is it safe to paste a production token?+

Yes — the decoding runs locally and we never transmit the token. That said, you should rotate any token you've shared in screenshots or chat.

Does it verify the signature?+

No — verification requires the secret/public key. The decoder only parses the structure.

More in Developer & Data

{ }

JSON Formatter & Validator

Validate & prettify JSON with precise error reporting.

📊

CSV to JSON Converter

Turn CSV into clean JSON arrays — locally and instantly.

🔤

Base64 Image Encoder

Encode images to Base64 data URIs in one drop.

🔗

URL Encode / Decode

encodeURIComponent & decodeURIComponent, beautifully.