JWT Decoder
Decode and inspect JSON Web Tokens — header, payload, and expiry
Frequently Asked Questions
How does the JWT Decoder work?
It splits a JSON Web Token (JWT) into its Header, Payload, and Signature components and decodes the Base64Url encoding locally.
Do I need a secret key to see the payload?
No. The Header and Payload are just Base64Url encoded, not encrypted. Anyone with the token can see the data inside.
Is it safe to decode my production JWTs here?
Yes. The decoding happens locally in your browser. We never see or store your tokens.
Can the tool verify the JWT signature?
To verify the signature, you would need to provide the secret key. Our tool is primarily for inspecting the 'claims' within the token.
What are JWT 'Claims'?
Claims are pieces of information encoded in the payload, such as 'sub' (user ID), 'exp' (expiration time), and 'iat' (issued at time).
Why is the payload showing garbled text?
This usually happens if the token is malformed or if it's not a standard JWT. Ensure you have copied the entire token (three parts separated by dots).
Does it show expiration time in a human-readable format?
Yes. We automatically convert Unix 'exp' timestamps into your local date and time.
Can I edit the JWT and re-encode it?
Currently, our tool is for decoding and inspection. Modifying and re-signing would require the secret key and is not supported to prevent misuse.
What does 'Base64Url' mean?
It's a variant of Base64 that is safe for use in URLs and headers by replacing characters like '+' and '/' with '-' and '_'.
Is this a good alternative to jwt.io?
Yes. It provides the same core decoding functionality in a clean, privacy-focused, and local environment.