JWT Decoder
Decode the header and payload of a JSON Web Token. Shows claims, expiration status, and kid/alg — all in the browser. Signatures are not verified.
Decode a JSON Web Token
Splits and base64url-decodes the header and payload. Signatures are not verified — never paste production tokens you don't own.
What the tool does
- Splits the token into header, payload, and signature segments.
- Base64url-decodes and pretty-prints the JSON.
- Flags
exp,nbf, andiatclaims against the current time. - Warns when the algorithm is
none— a red flag for misconfigured verifiers.
What the tool does not do
It does not verify signatures. Verification requires the issuer’s public key (or shared secret for HS*), which this tool deliberately doesn’t handle. Treating a decoded JWT as trusted because it “decoded cleanly” is the single most common JWT mistake in the wild.
Safety
Never paste a production JWT you don’t own into any online decoder —
including this one. Although the decode runs entirely client-side, you have
no easy way to prove that of any site. For production incidents, copy the
token into a local jq pipeline or a trusted library.
# safer: decode locally
jq -R 'split(".") | .[0:2] | map(@base64d | fromjson)' <<< "$TOKEN"