JWT Decoder
Decode and inspect JSON Web Tokens instantly. Free, no signup.
How JWT Decoding Works
A JSON Web Token is three base64url-encoded segments separated by dots: header, payload, and signature. Toolkiya splits your token on the dots, base64url-decodes the header and payload, and JSON.parses each into an object tree rendered in a syntax-highlighted view.
Claims like 'exp', 'iat', and 'nbf' are translated from Unix timestamps into human-readable dates in your local timezone. The algorithm declared in the header ('alg') is surfaced prominently so you can spot 'none' or weak algorithms. The signature segment is shown but not verified — verification requires the issuer's secret or public key, which the tool will never ask you to paste. Everything runs in your browser, so the token never reaches a server.
When to Decode JWTs
Debugging a failing auth flow by inspecting the claims your backend issued. Checking when a session token expires while reproducing a customer-reported bug. Verifying that a third-party SSO provider includes the right scopes in the access token. Inspecting an OAuth ID token returned by Google, Auth0, or Clerk. Confirming that a custom claim made it into the token after a backend change.
Why Decode JWTs in Toolkiya
JWTs are bearer tokens — anyone holding the string can impersonate the user until it expires. Pasting one into a random online decoder is a real security incident waiting to happen. Toolkiya decodes the token entirely in your browser using native base64 and JSON APIs, so the value never leaves your tab.
There is no signup, no rate limit, and no daily quota. The page works offline once loaded, which matters when you are debugging in a locked-down environment without unrestricted internet access.
Tips for Working with JWTs
If decoding fails, check that the token uses base64url (with '-' and '_') rather than standard base64 (with '+' and '/'). Treat the decoded payload as untrusted until your backend verifies the signature — decoding tells you what the token claims, not whether the claim is valid. Watch for 'alg: none' in the header, which is a known JWT vulnerability you should never accept.
Frequently Asked Questions
What is a JWT?▼
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three Base64URL-encoded parts: header, payload, and signature.
Is it safe to paste my JWT here?▼
Yes. All decoding happens entirely in your browser. No data is sent to any server. However, never share your JWTs publicly as they may contain sensitive information.
Does this tool verify the signature?▼
No. This tool only decodes and displays the JWT contents. Signature verification requires the secret key or public key, which we do not have access to.
What do exp, iat, iss, and sub mean?▼
These are standard JWT claims: exp (expiration time), iat (issued at), iss (issuer — who created the token), and sub (subject — who the token is about).
Related Tools
Built & maintained by Mayank Rai
Solo developer based in Lucknow, India