Waiting for a valid JWT
Paste a JWT to decode it locally.
Paste a JSON Web Token and decode the header and payload locally in your browser. The same page also checks expiry, risky claims, alg values, storage concerns, and signature verification options.
Paste a JWT to decode it locally.
Paste a JWT to decode it locally.
Header will appear here.
Payload will appear here.
Paste a JWT to decode it locally.
JWT payloads are readable by anyone who has the token. Do not put passwords, refresh tokens, private keys, API keys, payment data, or unnecessary personal data inside the payload.
Browser storage choice matters. localStorage and sessionStorage are easy to use but exposed to JavaScript if XSS occurs. For browser apps, prefer short-lived access tokens and consider HttpOnly, Secure, SameSite cookies for server-managed sessions.
Always verify signatures on the server, pin the expected algorithm, validate iss and aud, enforce exp, and rotate signing keys safely.
A compact JWT has three Base64URL parts: header, payload, and signature. This decoder reads the first two parts in your browser and formats them as JSON. Decoding is not the same as trusting: a backend must still verify the signature, issuer, audience, and expiration before accepting the token.
For a security-focused entry point, open the JWT Security Checker.