Tools / Developer / JWT Decoder
Client-side

JWT Decoder

Decode JWT headers and payload claims locally in your browser without sending the token to any server (signature is not verified).

What it does

  • Decodes header and payload claims from any JWT
  • Expiry, issuer, and custom claims displayed as formatted JSON
  • Token never leaves the browser tab
  • Clear warning that the signature is not verified

Signature not verified

This tool decodes the JWT header and payload only. The signature is never checked, so anyone can forge a token that looks valid. Never trust decoded contents for authentication or authorization.

Need to decode a JWT and read what is inside it? Paste the token to decode the JWT header and payload instantly, in the browser. JWTs are not encrypted by default, so the header and payload are Base64url-encoded rather than sealed. Pasting a token into a typical third-party decoder hands the entire claims set to a remote service. This decoder runs on WebAssembly so the token never leaves the tab, letting you inspect expiry, issuer, and custom claims without a credential leak risk.

JWT structure: header, payload, signature

A JSON Web Token is three Base64url-encoded segments joined by dots, in the form header.payload.signature. The header declares the signing algorithm (for example HS256 or RS256) and token type. The payload carries the claims, which is the actual data: registered claims like iss (issuer), sub (subject), aud (audience), exp (expiry), and iat (issued-at), plus any custom claims your application adds. The signature is computed over the first two segments and is what proves the token has not been tampered with.

Decoding is not verifying

This is the single most important thing to understand about a JWT decoder. Decoding simply Base64url-decodes the header and payload so you can read them, and anyone can do that because the segments are not encrypted. Verifying is a separate, cryptographic step that checks the signature against a secret or public key to confirm the token is authentic and unaltered. This tool decodes only, it does not verify the signature, so never trust a decoded payload as proof of identity in production. Verification must happen server-side with the correct key.

Common use cases

  • Debugging auth flows — check why a request is rejected by reading the exp claim to see if the token is expired or the aud claim to confirm it targets the right audience.
  • Inspecting custom claims — confirm that roles, scopes, tenant IDs, or feature flags were embedded correctly during login.
  • Learning and documentation — see exactly how a provider structures its tokens before integrating.

Privacy: the token stays in your tab

Access tokens are credentials. Sending one to a remote decoder, even briefly, exposes it to logging and interception. Here the JWT is decoded entirely client-side by a Rust module compiled to WebAssembly, so nothing is uploaded, transmitted, or stored. Close the tab and the token is gone.

Related tools

The individual JWT segments are Base64url-encoded, so the Base64 encoder and decoder is handy for working with raw values, and the decoded payload is JSON you can clean up with the JSON formatter. When a token travels in a URL or query string, the URL encode and decode tool helps you handle the percent-encoding correctly.