No processing of your file contents takes place on any server. You need no data-processing agreement with gottrix to handle confidential or business documents.
Servers in GermanyGDPR by design
Origin servers at Hetzner in Germany. Since your files never leave your device, their contents are not transmitted at all.
A JSON Web Token (JWT, RFC 7519) is a compact token made of three dot-separated parts: header, payload and signature. The header and payload are just Base64URL-encoded JSON (RFC 7515) - not a secret, only a transport-safe notation. This tool splits the parts, decodes the header and payload back, and shows you the contained JSON neatly indented. At a glance you see which algorithm is declared and which statements (claims) the token carries.
Important and honest: this tool only DECODES, it does NOT verify the signature. Real verification needs the issuer secret or public key, which this tool deliberately never asks for - your keys have no place here. So a decoded token is not yet a trusted token: its content may be tampered with arbitrarily. Use the view to understand and debug (Which claims? When does exp expire? Which iss?), never as proof of authenticity. The signature part is shown only raw and unchanged.
All processing runs entirely locally in your browser in pure JavaScript - the token is not uploaded, not stored, and no foreign library is loaded from a CDN. That matters precisely for tokens, because an access or ID token does not belong in an external online form. If the input is not a valid JWT, the tool says so honestly (invalid token) instead of inventing a wrong result. You can download the result as a JSON file.
Specifications
Specifications
Input formats
Text input
Output format
JSON
Batch processing
No
Processing
Locally in your browser (JavaScript)
File upload
None
In 3 steps
Paste the JWT into the text field.
Click decode.
Read or download the header and payload as JSON.
Limitations:Pure decoding without signature verification: the tool does NOT confirm that a token is genuine or unchanged - that would need the issuer key. It also does not check whether the token has expired; it only shows the claims. Encrypted tokens (JWE) are not decrypted. Header and payload are only Base64URL, not encryption - so never put secrets in the payload.
FAQ
Is my token uploaded?
No. Decoding runs entirely locally in your browser; the token never leaves your device and is not stored.
Does the tool verify the signature?
No. It only decodes the header and payload. Verifying a signature needs the issuer key, which this tool deliberately never asks for. A decoded token is not a trusted token.
Is a JWT encrypted?
Usually not. The header and payload are only Base64URL-encoded, which anyone can read back. So do not put secrets in the payload.
What do claims like exp, iat or iss mean?
Standard claims: iss is the issuer, iat the issued-at time, exp the expiry (as Unix time), sub the subject. The tool shows them unchanged; it does not evaluate them.
What happens with invalid input?
If the input is not a valid JWT (wrong number of parts or broken Base64URL), the tool reports an honest error instead of producing a wrong result.