JWT Decoder
Paste a JSON Web Token to decode its header and payload instantly. 100% client-side — your token never leaves your browser.
Why this matters
See exactly what a token carries
Decode the claims an API or app trusts you with — sub, role, scopes, expiry — to debug auth issues fast.
Catch security mistakes
Spot 'alg: none', overly long expiries, or sensitive data wrongly stored in the payload (it's readable by anyone).
Private by design
100% client-side decoding. Paste production tokens safely — nothing is uploaded or logged.
How it works
Paste your JWT (the eyJ... string) into the box.
We split it on the dots and base64url-decode the header and payload.
Read the pretty-printed JSON, the algorithm, and human-readable expiry — all in your browser.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token with three base64url-encoded parts separated by dots: a header (algorithm + type), a payload (claims like sub, role, exp), and a signature. It's widely used for authentication and API authorization.
Is this JWT decoder safe?
Yes. Decoding happens entirely in your browser with JavaScript — the token is never sent to any server. You can paste production tokens without them leaving your machine.
Does this verify the JWT signature?
No. This tool decodes the header and payload only. Verifying the signature requires the secret (HMAC) or public key (RS/ES). Decoding a token doesn't prove it's valid or untampered — always verify signatures server-side.
Why is 'alg: none' dangerous?
A JWT with alg=none is unsigned. If your server accepts 'none' tokens, an attacker can forge any payload (e.g., role: admin) with no signature. Always reject the 'none' algorithm and pin your expected algorithm server-side.
How do I read the exp and iat fields?
exp (expiration) and iat (issued-at) are Unix timestamps in seconds. This tool converts them to human-readable dates and flags whether the token is expired. nbf (not-before) is also shown when present.
Can I decode a token without the secret key?
Yes — the header and payload are just base64url-encoded JSON, readable by anyone. That's why you must never put sensitive data in a JWT payload. The secret is only needed to verify the signature, not to read the contents.
Related Free Tools
API Key Leak Scanner
Find exposed Stripe, OpenAI, AWS keys in your JS bundles
Security Headers Checker
Check CSP, HSTS, and other security headers
CSP Generator
Build a Content-Security-Policy header
SSL / HTTPS Checker
Verify HTTPS and HSTS configuration
SPF / DMARC Checker
Check email-spoofing protection records
Security Scanner
Full 38-check security audit
Want the complete picture?
Run a full AI visibility audit — 25+ signals, fix roadmap, and AI-generated files.