Does this verify the JWT signature?

No. This tool only decodes the header and payload so you can read them. It does not verify the signature, which requires the signing secret or public key. Never treat a decoded payload as proof that a token is valid or untampered.

Is it safe to decode a real access token here?

Yes — because everything runs locally in your browser, nothing is transmitted. That said, treat any token like a password and avoid pasting it into tools you do not trust.

JWT Decoder — Decode JSON Web Tokens Online (No Upload)

Q: Is my token uploaded anywhere?

No. Decoding happens entirely in your browser using built-in JavaScript — your JWT never leaves your device and is never sent to any server.

JWT Decoder

Paste a JSON Web Token to instantly read its header and payload — free and100% in your browser. Decoding only (no signature check), and because nothing is uploaded it's safe for real access tokens.

Paste your JWT

Header

Payload

⚠️ This tool decodes the token only — it does not verify the signature. Never trust a decoded payload as proof of authenticity; signature verification requires the secret or public key.

🔒 100% private — your token is decoded in your browser and is never uploaded. Safe for access tokens.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is widely used for authentication and authorization — once you log in, the server hands you a token that your app sends with each request to prove who you are. A JWT is made of three parts joined by dots: header.payload.signature. The header and payload are simplyBase64url-encoded JSON (not encrypted), so anyone can decode and read them — which is exactly what this tool does.

How to use this JWT decoder

Paste your token into the input box — it usually starts with eyJ.
The Header and Payload are decoded and pretty-printed automatically as you type.
Inspect the claims — common ones include sub (subject), iat (issued-at), exp (expiry) and iss (issuer).
Copy either the header or payload JSON with one click, or Clear to start over.

Tip: iat and exp are Unix timestamps (seconds since 1970). An expired exp means the token would be rejected by a server even though it still decodes fine here.

Important: this does not verify the signature

Decoding a JWT and verifying a JWT are two different things. This tool only decodes the header and payload so you can read them — it does not check the signature. Signature verification proves the token hasn't been tampered with, and it requires the signing secret (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA like RS256), which this client-side tool intentionally never asks for. Because of that, you should never treat a decoded payload as proof that a token is authentic or still valid. Always verify signatures on your server before trusting any claim.

Is it private?

Yes. Everything happens locally in your browser with built-in JavaScript — there's no network request, no logging, andyour token is never uploaded to ToolFern or anywhere else. Access tokens are sensitive (they're effectively temporary passwords), so a private, in-browser decoder matters: many online decoders send whatever you paste to a remote server. Here, you can close your network connection entirely and the tool still works.

Frequently asked questions

Is my token uploaded anywhere?

No — decoding runs entirely in your browser, so your JWT never leaves your device.

Does this verify the signature?

No. It only decodes the header and payload. Verifying the signature needs the secret or public key and should be done server-side.

Why does my token decode but still get rejected by my API?

Decoding always works on well-formed tokens, but an API also checks the signature and claims like exp. An expired or wrongly-signed token decodes fine here yet is still rejected by the server.