JWT Decoder
Decode JSON Web Tokens — inspect header, payload, and signature. Your token never leaves your browser.
About JWT Decoder
The JWT Decoder is a privacy-first tool for inspecting JSON Web Tokens, decoding their header and payload sections, and verifying the key structural properties of a token. JWTs are widely used for authentication, authorization, and information exchange in modern web applications and APIs. Understanding the contents of a JWT is essential for debugging authentication flows, verifying claims, and auditing token payloads during development and security reviews.
Using the decoder is simple: paste a JWT string into the input field, and the tool instantly decodes and displays the header and payload. The token is parsed client-side, meaning your JWT and its contents never leave your browser. Each field in the decoded JSON is displayed with syntax highlighting and type information. The tool also shows the token's expiration status based on the `exp` claim, highlighting whether a token is currently valid, expired, or has no expiration.
A JWT consists of three parts separated by dots: the header (containing the algorithm and token type), the payload (containing claims), and the signature. The decoder displays all three sections. The header reveals which signing algorithm is used (e.g., HS256, RS256), which is critical for security verification. The payload shows the registered claims (`iss`, `sub`, `aud`, `exp`, `nbf`, `iat`, `jti`), public claims, and private claims in the decoded JSON.
Security is the paramount concern when processing JWTs. Since tokens often contain sensitive claims like user identities, roles, and permissions, this tool processes everything in your browser using WebAssembly. No data is transmitted to any server, and no logs are kept. The decoder explicitly warns about common security risks: tokens using 'none' algorithm (which would bypass signature verification), tokens where the algorithm differs from what the header specifies, and tokens with suspiciously weak signatures.
Beyond basic decoding, the tool includes a JWT editor mode that lets you modify header and payload claims and re-encode the token. This is useful for testing how your application handles different claim values, malformed tokens, or edge cases like missing required claims, expired tokens, or tokens with unusual audience values. Re-encoded tokens use the original algorithm but generate a new signature placeholder since the private key is never available.
For developers implementing JWT-based authentication, the tool includes a reference section documenting all registered claim names, common algorithm identifiers, and best practices for JWT validation. This replaces the need to constantly look up the RFC 7519 specification or check library documentation for claim semantics. The reference also covers common pitfalls like timing attacks in signature verification, proper audience validation, and the difference between symmetric and asymmetric signing algorithms.
Frequently Asked Questions
Is my JWT sent to any server?
No. All decoding happens entirely in your browser via client-side JavaScript. The token and its decoded contents never leave your machine. You can verify this by disconnecting from the network and using the tool.
Can you verify the signature of a JWT?
The tool decodes the header and payload, but cannot verify the signature without your private key. It does warn you if the token uses the 'none' algorithm, which is a security risk.
What is the difference between JWS and JWE?
This tool decodes JWS (JSON Web Signature) tokens, which are signed but not encrypted. JWE (JSON Web Encryption) tokens are encrypted and require a private key to decrypt. Most JWTs in practice are JWS tokens.
Does the tool support JWTs with custom claim names?
Yes. Custom claims are displayed in the payload section alongside registered claims. The tool does not validate custom claim contents but formats them for inspection.