Back to home
Developers
JWT Decoder
Decode JWT tokens locally — nothing is sent to a server
Runs locally in your browser
JWT Token
How it works
Splits a JSON Web Token into its header, payload, and signature segments and decodes the Base64URL-encoded JSON—without sending the token to any server.
Who it's for: Developers debugging OAuth, OpenID Connect, and API authentication flows
Decodes the header and payload into formatted JSON for inspection of claims like sub, exp, iss, and roles.
Works offline in the browser; ideal for development and staging tokens.
Does not verify the cryptographic signature—use your backend or a trusted library for validation.
How to use
- Paste the full JWT (three dot-separated segments) into the input field.
- Review the decoded Header for algorithm (alg) and token type (typ).
- Inspect the Payload for subject, expiration (exp), issuer, audience, and custom claims.
- Compare exp (Unix seconds) with the current time to see if the token is expired.
- Never paste production secrets or long-lived refresh tokens on shared machines.
Good to know
- exp is in seconds since Unix epoch—use the Timestamp Converter if you need a human-readable date.
- An alg of none or unexpected algorithms in production should be treated as a security red flag.
- Refresh tokens decode the same way but often carry sensitive session identifiers—handle with care.
FAQ
- Can I trust the decoded payload?
- Anyone can Base64-decode a JWT. Trust only comes from verifying the signature with the issuer’s public key or secret on your server.