Do you verify the signature?

No. To verify a signature, we would need your private secret key. For security, we never ask for your secret key. This tool is for inspecting the payload only.

Is it safe to paste my production token?

Yes. The decoding happens entirely in your browser memory. We validly never send your tokens to any external server.

Do you verify the signature?

No. To verify a signature, we would need your private secret key. For security, we never ask for your secret key. This tool is for inspecting the payload only.

Is it safe to paste my production token?

Yes. The decoding happens entirely in your browser memory. We validly never send your tokens to any external server.

JWT Decoder (Debug Only)

JSON Web Tokens (JWTs) are the industry standard for stateless authentication. But they are opaque strings until you decode them. This tool lets you inspect the contents of a token locally—without exposing your secrets.

What is a JWT?

A JWT is a compact, URL-safe means of representing claims to be transferred between two parties.

It consists of three parts separated by dots (.):

Header: Describes the algorithm (e.g., HS256) and type.
Payload: The data! Contains claims like user ID (`sub`), expiration (`exp`), and roles.
Signature: A cryptographic hash validating that the token hasn't been tampered with.

⚠️ Security Warning: Decoder vs. Validator This tool is a Decoder, not a Validator.

Decoding simply reverses the Base64 encoding. Anyone can do this. A JWT is like a postcard: signed, but readable by anyone. Do not put secrets (passwords) inside a JWT.

Validating requires a secret key. We do NOT ask for your secret key. Therefore, we cannot tell you if the token is trusted, only what it says.

Common JWT Claims

sub (Subject): Who this token is about (usually User ID).
iat (Issued At): When the token was created.
exp (Expiration): When the token dies. Most APIs reject tokens after this second.
iss (Issuer): Who created this token.

How Base64Url Works

JWTs use a variant of Base64 called Base64Url. Standard Base64 uses + and /, which are not safe in URLs. Base64Url replaces them with - and _ and removes padding (=). This allows JWTs to be easily passed in URL query parameters.

What is a JWT?

A JWT is a compact, URL-safe means of representing claims to be transferred between two parties.

It consists of three parts separated by dots (.):

Header: Describes the algorithm (e.g., HS256) and type.
Payload: The data! Contains claims like user ID (`sub`), expiration (`exp`), and roles.
Signature: A cryptographic hash validating that the token hasn't been tampered with.

Common JWT Claims

sub (Subject): Who this token is about (usually User ID).
iat (Issued At): When the token was created.
exp (Expiration): When the token dies. Most APIs reject tokens after this second.
iss (Issuer): Who created this token.

JWT Decoder (Debug Only)

How it works

What is a JWT?

Common JWT Claims

How Base64Url Works

Frequently asked questions

Related tools

JWT Decoder (Debug Only)

How it works

What is a JWT?

Common JWT Claims

How Base64Url Works

Frequently asked questions

Related tools