Decode & Inspect JWT Tokens Online
JSON Web Tokens are the backbone of modern API authentication, but their compact Base64url-encoded format makes them completely opaque until decoded. Whether you are debugging an authentication failure, auditing the claims returned by an OAuth provider, or verifying that a token carries the correct user roles, you need to read the raw header and payload without any server round-trip. devtoolkit.sh's JWT Decoder splits the token into its three parts — header, payload, and signature — and pretty-prints the JSON of each section so you can read every field clearly. The expiration claim is automatically compared to the current time so you know immediately whether the token is still valid. The Base64 Decoder is also available if you want to manually inspect URL-safe Base64 segments, and the JSON Formatter lets you explore nested claim structures with collapsible tree views. Your tokens are decoded entirely in your browser; nothing is transmitted or logged.
Decode and inspect JSON Web Token header and payload.
Decode Base64-encoded strings back to readable text.
Pretty-print and format JSON with proper indentation.
FAQ
- Is it safe to paste my JWT into this tool?
- Yes. Decoding happens entirely in your browser using Base64url decoding — nothing is sent to any server. That said, avoid pasting tokens that carry long-lived privileges into any online tool as a general security practice.
- Can this tool verify the JWT signature?
- No. Signature verification requires the secret key or RSA/EC public key, which is a server-side operation. This tool only decodes the readable header and payload sections.
- How do I check if my JWT is expired?
- The decoder automatically reads the exp claim and compares it to the current UTC time, showing whether the token is valid or how long ago it expired.