en

Decode JWT

Decode a JSON Web Token locally in your browser into readable JSON - header and payload revealed, with no upload.

Running locally on your device ...

0%

Your files never left your device

    Is my file uploaded?

    No. Everything runs in your browser - your file never leaves your device. How this is verifiable

    No upload100% local
    Your content stays with youno third-party access
    Servers in GermanyGDPR by design
    Independently auditedTLS A+ · HTTP headers A+

    A JSON Web Token (JWT, RFC 7519) is a compact token made of three dot-separated parts: header, payload and signature. The header and payload are just Base64URL-encoded JSON (RFC 7515) - not a secret, only a transport-safe notation. This tool splits the parts, decodes the header and payload back, and shows you the contained JSON neatly indented. At a glance you see which algorithm is declared and which statements (claims) the token carries.

    Important and honest: this tool only DECODES, it does NOT verify the signature. Real verification needs the issuer secret or public key, which this tool deliberately never asks for - your keys have no place here. So a decoded token is not yet a trusted token: its content may be tampered with arbitrarily. Use the view to understand and debug (Which claims? When does exp expire? Which iss?), never as proof of authenticity. The signature part is shown only raw and unchanged.

    All processing runs entirely locally in your browser in pure JavaScript - the token is not uploaded, not stored, and no foreign library is loaded from a CDN. That matters precisely for tokens, because an access or ID token does not belong in an external online form. If the input is not a valid JWT, the tool says so honestly (invalid token) instead of inventing a wrong result. You can download the result as a JSON file.

    Specifications

    Specifications
    Input formatsText input
    Output formatJSON
    Batch processingNo
    ProcessingLocally in your browser (JavaScript)
    File uploadNone

    In 3 steps

    1. Paste the JWT into the text field.
    2. Click decode.
    3. Read or download the header and payload as JSON.

    Limitations: Pure decoding without signature verification: the tool does NOT confirm that a token is genuine or unchanged - that would need the issuer key. It also does not check whether the token has expired; it only shows the claims. Encrypted tokens (JWE) are not decrypted. Header and payload are only Base64URL, not encryption - so never put secrets in the payload.

    FAQ

    Is my token uploaded?

    No. Decoding runs entirely locally in your browser; the token never leaves your device and is not stored.

    Does the tool verify the signature?

    No. It only decodes the header and payload. Verifying a signature needs the issuer key, which this tool deliberately never asks for. A decoded token is not a trusted token.

    Is a JWT encrypted?

    Usually not. The header and payload are only Base64URL-encoded, which anyone can read back. So do not put secrets in the payload.

    What do claims like exp, iat or iss mean?

    Standard claims: iss is the issuer, iat the issued-at time, exp the expiry (as Unix time), sub the subject. The tool shows them unchanged; it does not evaluate them.

    What happens with invalid input?

    If the input is not a valid JWT (wrong number of parts or broken Base64URL), the tool reports an honest error instead of producing a wrong result.

    Related tools