JWT decoder

Per RFC 7519 / 7515

Inspect header, payload and signature locally; no token leaves your browser.

What is this, and when do I need it?

What is this?

A JWT (JSON Web Token, RFC 7519) is a compact text that splits into three parts separated by dots: header, payload and signature. Header and payload are base64-encoded JSON - not encrypted, anyone can read them. The signature only ensures that the content has not been tampered with.

This decoder runs entirely in the browser. Your token does not leave the device. The signature is not checked against a key here - that requires the public key material from the issuer configuration.

When do I need it?

When you get a token back from an API and quickly want to see which claims it carries - sub, exp, iss, aud, custom roles. Helpful when debugging OIDC logins, API authentication and SaaS integrations.

Security note: never share production tokens with foreign online decoders. They typically carry identity, roles, and sometimes personal data - which would be data protection violations served on a silver platter.