JWT Decoder

Inspect tokens locally · no leakage

Paste a JWT (with or without "Bearer " prefix)

We never validate the signature here, that needs the secret/key. Decoding is local; the token never uploads.

Expiry

Valid · expires 5/18/2033, 3:33:20 AM

Algorithm

HS256

Type

JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "user_123",
  "name": "Alice",
  "iat": 1700000000,
  "exp": 2000000000,
  "role": "admin"
}

Signature (base64url)

fake-signature-for-demo

Signatures need the secret (HMAC) or public key (RSA/ECDSA) to verify. We don't do that here on purpose, keeps the tool 100% client-side and prevents secret leakage.