Overview
Decode JWT header and payload to inspect claims like exp, iat, aud, iss, and custom fields. This tool does not verify signatures — it’s for debugging and troubleshooting. Runs locally in your browser.
Use cases
- Check token expiry (exp) when users report random logouts.
- Inspect scopes/roles in the payload during auth debugging.
- Compare two tokens to see what changed after a refresh.
Common pitfalls
- Never trust decoded claims without verifying the signature server-side.
- Watch out for exp being in seconds since epoch (not ms).
- JWT segments are Base64URL; standard Base64 decoders may fail or show garbled results.
FAQs
Why doesn’t this verify the signature?
Verification requires the signing key/public key and exact algorithm settings. This tool focuses on inspection; verify on your server.
Is decoding a JWT secure?
Decoding is just Base64URL parsing. Don’t treat decoded data as trusted unless you verify the signature.
Do you upload my token?
No. Decoding happens locally in your browser.
What’s the difference between JWS and JWE?
JWS is signed (readable payload), JWE is encrypted (payload is not readable without decryption). This tool is for readable JWTs.
Examples
Input
header.payload.signature
Output
{
"header": { ... },
"payload": { ... }
}