Decoded locally · Never uploadedJWTs often contain sensitive identity info; decoding happens entirely in your browser — the token is never uploaded, stored, or sent.

No signature verificationThis tool only decodes and shows header / payload; it does NOT verify the signature — don't rely on it to judge whether a token is tampered or trusted.

JWT Token

Decoded

Paste a JWT

Header · Payload · Claims · Decoded locally, never uploaded

JWT Decoder

Decode header / payload / signature · Read exp·iss·aud·sub · Spot expired · Decoded locally, never uploaded

🔒Processed locally in your browser — never uploaded or stored

No upload, no storage

JSON is processed in memory and never sent to a server.

Share via URL fragment

Share links encode data in the # anchor — never sent to a server.

Remember last edit

Optionally keep your last input locally; clear it with one click.

Decode Header, Payload & Signature｜Read Claims (exp, iss, aud, sub)｜Spot Expired Tokens｜Decoded Locally — Never Uploaded

Decode All Three

Header, payload and signature shown in separate panels.

Read Claims

Highlights common claims like exp / iss / aud / sub.

Spot Expired

Flags expired / not-yet-valid from exp / nbf.

Decoded Locally, Never Uploaded

JWTs hold sensitive info; decoding stays on your machine.

Decode Only, No Verify

No signature verification this release — the boundary is stated clearly.