JWT Decoder
Decode JSON Web Tokens instantly. View header and payload claims securely offline in your browser.
{}{}The Safest Online JWT Decoder
JSON Web Tokens (JWTs) are the backbone of modern web authentication. They are used in single sign-on (SSO) systems, stateless API authentication, and authorization protocols like OAuth2. However, because JWTs are Base64Url encoded, their contents are unreadable to the naked eye.
The Toolforge JWT Decoder allows developers to instantly parse and view the contents of any JWT. Unlike other online tools, our decoder emphasizes absolute security: it executes entirely within your browser's local memory. Your access tokens and identity claims are never transmitted over the internet, completely eliminating the risk of token theft or unauthorized logging.
Anatomy of a JWT
A standard JWT consists of three parts separated by dots (.):
- Header: Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
- Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. Common registered claims include
iss(issuer),exp(expiration time), andsub(subject). - Signature: Used to verify the message wasn't changed along the way. Our tool currently decodes the first two parts, leaving the signature untouched.
How to Use
- 1
Paste Token
Paste your encoded JWT string (e.g., eyJhbGciOi...) into the 'JWT String' editor.
- 2
Instant Decode
The tool will instantly decode the Base64Url string and parse the JSON.
- 3
Inspect Header
View the Header section to see the algorithm (alg) and token type (typ).
- 4
Inspect Payload
View the Payload section to see your custom claims, expiration dates (exp), and user IDs (sub).
- 5
Copy Data
Click 'Copy' to copy the decoded JSON payload to your clipboard.
Frequently Asked Questions
Is my JWT sent to a server?+
Absolutely not. This tool runs 100% locally in your browser using standard JavaScript. Your JWT never leaves your device, making it safe for inspecting production tokens.
Can this tool verify the JWT signature?+
No, this tool only decodes the Base64Url-encoded Header and Payload sections of the token. It does not verify the cryptographic signature (the third part of the JWT) since that requires the private secret key.
What is a JWT?+
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
Related Tools
- JSON FormatterFormat, beautify, minify, and validate JSON data instantly in your browser.
- Base64 Encoder / DecoderEncode plain text or decode Base64 strings instantly in your browser — no data leaves your device.
- UUID GeneratorGenerate cryptographically secure random UUIDs (v4) in bulk — perfect for database IDs and testing.
Popular Utilities
- Base64 Encoder / DecoderEncode plain text or decode Base64 strings instantly in your browser — no data leaves your device.
- CSS MinifierMinify your CSS instantly — remove whitespace, comments, and redundant characters to shrink file size.
- UUID GeneratorGenerate cryptographically secure random UUIDs (v4) in bulk — perfect for database IDs and testing.