JWT Decoder (Debug Only)
Decode JSON Web Tokens (JWT) to inspect headers and payloads. Client-side only for security - no secret keys required.
Capabilities
✓ Local Processing
Data never matches server
✓ Large Files
Optimized for 5MB+ text
✓ Privacy First
No logs, no tracking
✓ Standard Compliant
Strict RFC adherence
How It Works
JSON Web Tokens (JWTs) are the industry standard for stateless authentication. But they are opaque strings until you decode them. This tool lets you inspect the contents of a token locally—without exposing your secrets.
What is a JWT?
A JWT is a compact, URL-safe means of representing claims to be transferred between two parties.
It consists of three parts separated by dots (.):
- Header: Describes the algorithm (e.g., HS256) and type.
- Payload: The data! Contains claims like user ID (`sub`), expiration (`exp`), and roles.
- Signature: A cryptographic hash validating that the token hasn't been tampered with.
⚠️ Security Warning: Decoder vs. Validator
This tool is a Decoder, not a Validator.
Decoding simply reverses the Base64 encoding. Anyone can do this. A JWT is like a postcard: signed, but readable by anyone. Do not put secrets (passwords) inside a JWT.
Validating requires a secret key. We do NOT ask for your secret key. Therefore, we cannot tell you if the token is trusted, only what it says.
Decoding simply reverses the Base64 encoding. Anyone can do this. A JWT is like a postcard: signed, but readable by anyone. Do not put secrets (passwords) inside a JWT.
Validating requires a secret key. We do NOT ask for your secret key. Therefore, we cannot tell you if the token is trusted, only what it says.
Common JWT Claims
sub(Subject): Who this token is about (usually User ID).iat(Issued At): When the token was created.exp(Expiration): When the token dies. Most APIs reject tokens after this second.iss(Issuer): Who created this token.
How Base64Url Works
JWTs use a variant of Base64 called Base64Url. Standard Base64 uses + and /, which are not safe in URLs. Base64Url replaces them with - and _ and removes padding (=). This allows JWTs to be easily passed in URL query parameters.