Browser-only tool

JWT decoder

Paste a JWT to decode its header and payload. This tool helps inspect token claims but does not verify the signature.

  • Updated: 2026-04-30
  • JWT decoding runs locally in your browser. The token is not uploaded by this static page.

Warning: decoding is not verification. Do not paste production access or refresh tokens unless you trust this local environment.

Decoded header and payload will appear here.

Signature is not verified by this tool.

Privacy And Limitations

JWT decoding runs locally in your browser. The token is not uploaded by this static page.

  • Decoding is not verification. A decoded token can still be forged or expired.
  • Do not paste production access tokens, refresh tokens, or secrets unless you trust the local environment.
  • Signature verification requires trusted keys and issuer-specific validation rules.

Related Pages

FAQ

Does this verify JWT signatures?

No. It decodes header and payload only. Verification needs trusted keys and issuer rules.

Is it safe to paste production tokens?

Avoid it. Tokens can grant access and may also be stored in browser history or screenshots.

What parts of a JWT are decoded?

The tool decodes the Base64URL header and payload. It shows the signature segment but does not validate it.

Can decoded claims be trusted?

Not without signature, issuer, audience, expiry, and policy validation.

Why provide the tool if tokens are sensitive?

JWT inspection is useful for debugging, but the page must clearly warn about risks and avoid uploading data.