JWT Decoder
Decode and inspect JSON Web Tokens in your browser
Loading JWT Decoder...
⚙️ How It Works
Paste your raw JWT string into the input box. The tool automatically detects the three distinct sections (Header, Payload, and Signature) separated by dots, Base64-decodes them, and instantly formats the output as clean, colorized JSON.
❓ Frequently Asked Questions
Is my session token kept safe?
Yes, 100% safe. This tool simply base64-decodes the string entirely inside your own browser window. No data is ever transmitted across a network, ensuring your active session cannot be hijacked.
Can this verify the JWT cryptographic signature?
No, this utility decodes the structural header and readable payload only. Verifying the signature portion to prove authenticity requires access to a private backend secret key, which should never be exposed to front-end tools.
Can I edit the payload to forge a new token?
While you can read the payload, you cannot forge a valid replacement token without the server's private signing key. Any manipulation of the decoded payload will invalidate the original cryptographic signature.
What parts of the JWT are decoded?
The tool decodes the Header and Payload sections into readable JSON. The Signature is displayed but not decoded, as it is a cryptographic hash rather than base64-encoded JSON.
Why does my token fail to decode?
Common causes include malformed tokens, missing sections (JWTs must have three parts separated by dots), or improper base64url encoding. Ensure the token is copied exactly as issued.
Does this support base64url encoding?
Yes. JWTs use base64url encoding (a URL-safe variant of base64), and this tool automatically handles the necessary character substitutions and padding.
Can this tool handle expired tokens?
Yes. Expired tokens can still be decoded since expiration only affects validation, not readability. You can inspect the 'exp' claim to see when it expired.
What are standard JWT claims?
Common claims include 'iss' (issuer), 'sub' (subject), 'aud' (audience), 'exp' (expiration time), 'iat' (issued at), and 'nbf' (not before). These provide metadata about the token's purpose and validity.
Is this tool suitable for production debugging?
Yes, for inspection purposes. It is particularly useful for debugging authentication flows, inspecting claims, and verifying token structure during development.
Are any logs or analytics collected from my input?
No. The decoding process happens entirely client-side, and no token data is stored, logged, or transmitted externally.
Can this decode encrypted JWTs (JWE)?
No. Encrypted JWTs (JWE) require decryption keys and are not readable like signed JWTs (JWS). This tool only supports decoding standard signed tokens.
Why is the output formatted as JSON?
JWT payloads are JSON objects encoded as base64url strings. Formatting them improves readability and makes it easier to inspect nested claims and values.
What should I do if my payload looks empty or incorrect?
Check that the token is valid and properly encoded. Also verify that you're pasting the full token and not a truncated or partially copied string.
Does the JWT Decoder work offline?
Yes, the JWT Decoder is fully functional offline. Because this tool runs entirely in your browser, no data is ever uploaded to external servers. Once the page is loaded, you can seamlessly continue using it without an active internet connection. You can also install Knicknaks as a Progressive Web App (PWA) for native-like offline access.