Skip to content
AldeaCode Logo
es
Developer100% local · 0 bytes sent

JWT Decoder

Paste a JWT to inspect its header and payload as pretty-printed JSON without sending the token anywhere. The signature is shown but never verified, this is a debugging tool not an authentication validator. Tokens with non-ASCII payloads (UTF-8) decode correctly. Round-trip the segments through the Base64 Encoder, beautify the payload in the JSON Formatter and Validator, or hash any field with the SHA Hash Generator.

Loading…

How it works

We split the JWT by dots into 3 parts. The first two are decoded with Base64URL (alphabet swap, padding restored) and parsed as JSON. UTF-8 is handled via TextDecoder so any payload survives. The signature is shown raw and is not validated.

How to use it

  1. Paste the JWT

    Drop in a full JSON Web Token, with or without the Bearer prefix. The three Base64URL segments are split automatically.

  2. Inspect the header

    The decoder shows the algorithm, the key id and any other header fields in pretty-printed JSON.

  3. Inspect the payload

    The payload is rendered as JSON. Standard claims like exp, iat and sub are surfaced. Custom claims appear inline.

  4. Verify never leaves your tab

    Decoding does not validate the signature. The token is processed entirely in your browser. Nothing is logged or sent.

Use cases

Debug an API auth token to check claims and expiry.

Inspect a token returned by an OAuth flow.

Verify the issuer (iss) and audience (aud) of a token.

Read custom claims while developing an authorisation layer.

Confirm a token is well-formed before sending to a backend.

When NOT to use it

  • As a way to verify a JWT. This tool only decodes header and payload; it does not check the signature. Verification needs the secret or public key on a backend.
  • On tokens you do not own. JWTs are credentials, treat them like passwords.
  • To inspect rotating refresh tokens in shared screenshots. The decoded payload often contains user IDs, scopes and expiry.

Your data never leaves your browser

Every utility runs entirely on your device. Nothing is uploaded, nothing is stored on a server. You can disconnect from the internet and they keep working.

Frequently asked questions

Related tools

Curated next destinations. Use complementary tools in a pipeline; alternatives swap in for a different angle; next-step tools pick up where this one leaves off.

Pairs well with

Or use instead