Debugging authentication issues? Need to inspect what's inside a JWT? Paste your token and instantly see the decoded header, payload, claims, and expiry — with zero risk. Our JWT decoder is 100% client-side. Your token never leaves your browser.
🔒 This tool does not send your JWT token to any server. All decoding happens locally in your browser, ensuring your data remains private and secure.
Decoding a JWT only reveals the header and payload — it does not verify the token's signature. Anyone can decode a JWT without the secret key; that's by design. Never put sensitive, secret data in a JWT payload. The security of a JWT comes from its signature verification, not from the encoding.
This is also why our offline JWT decoder is the safest option — since the signature verification secret is never involved, there's no risk in using a client-side tool. Never paste production JWT tokens into a tool that makes a server request.
A JSON Web Token (JWT) is a compact, URL-safe token format used to securely represent claims between two parties. It's the industry standard for authentication in web applications, mobile apps, and APIs.
A JWT consists of three Base64URL-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiJ9 . eyJ1c2VySWQiOiIxMjMifQ . SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
HEADER PAYLOAD SIGNATURE
| Claim | Full Name | Description |
|---|---|---|
| iss | Issuer | The authority that issued the token |
| sub | Subject | The user or entity the token refers to |
| aud | Audience | Intended recipients of the token |
| exp | Expiration Time | Unix timestamp when the token expires |
| nbf | Not Before | The time before which the JWT must not be accepted for processing |
| iat | Issued At | Unix timestamp when the token was created |
| jti | JWT ID | Unique identifier for the token |