/jwt

JWT inspector

Paste a JWT. We decode the header and payload in-browser. We do not verify signatures — signatures need secret keys, and nothing secret should leave your device.

Token

Header

Payload

Signature

Base64url-encoded signature bytes. Not verified here.

Nothing you paste leaves this tab. JWTs are compact, URL-safe, Base64-encoded JSON; anyone can decode them, which is why sensitive data should never go in the payload.

How it works

What this is: A JSON Web Token is three Base64url segments separated by dots: header.payload.signature. It carries claims (who you are, what you can do, when it expires) signed by an issuer. Common in OAuth, OIDC, API auth.
How it works: We split on ., Base64url-decode each segment, and JSON.parse the header and payload. We do not verify the signature — that would require the issuer's secret key, which must never touch the browser. Common claims (iat, exp, nbf) get human-readable dates in the summary.
Worked example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9 .eyJzdWIiOiIxMjM0NSIsIm5hbWUiOiJBbGV4IiwiaWF0IjoxNzEzNzQ0MDAwfQ .SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c → header: { "alg": "HS256", "typ": "JWT" } payload: { "sub": "12345", "name": "Alex", "iat": 1713744000 }
Privacy: Signature verification is deliberately omitted. Verifying a JWT requires the signing key; sending real tokens plus their keys to a web page is exactly the leak this tool exists to prevent.

Header

Payload

Signature

Claim summary