Does JWT Decoder upload my data?

No. All processing happens client-side in your browser. Nothing is uploaded to a server.

Who built JWT Decoder?

Kesava (https://iamkesava.com), part of the Kami Studios little tools collection at https://tools.iamkesava.com.

Decode JSON Web Tokens with color-coded output.

Yes. Free, no signup, no ads, no data collection. Runs entirely in your browser.

Does JWT Decoder upload my data?

No. All processing happens client-side in your browser. Nothing is uploaded to a server.

Who built JWT Decoder?

Kesava (https://iamkesava.com), part of the Kami Studios little tools collection at https://tools.iamkesava.com.

What does the JWT decoder show?

The decoded header (algorithm, token type), payload (all claims with human-readable timestamps), and the signature. It color-codes standard claims like exp, iat, sub, and iss.

Does it verify the signature?

No. Signature verification requires the secret or public key, which the decoder does not accept. Use it to inspect token contents, not to validate tokens.

Is my token sent to a server?

No. The decoder runs client-side. Never paste production tokens into third-party online tools — this one keeps everything in your browser.

Why is my exp claim showing as a timestamp number?

JWT exp claims are Unix timestamps (seconds since epoch). The decoder automatically converts them to human-readable date-time strings next to the raw number.

JWT Decoder

Decode · inspect · verify · build JSON Web Tokens

About this tool

What does the JWT decoder show?: The decoded header (algorithm, token type), payload (all claims with human-readable timestamps), and the signature. It color-codes standard claims like exp, iat, sub, and iss.
Does it verify the signature?: No. Signature verification requires the secret or public key, which the decoder does not accept. Use it to inspect token contents, not to validate tokens.
Is my token sent to a server?: No. The decoder runs client-side. Never paste production tokens into third-party online tools — this one keeps everything in your browser.
Why is my exp claim showing as a timestamp number?: JWT exp claims are Unix timestamps (seconds since epoch). The decoder automatically converts them to human-readable date-time strings next to the raw number.

About

JWT Decoder parses a JSON Web Token client-side. Nothing leaves your browser.

Decode shows header, payload (with claim explanations), and signature in three cards. Timestamp claims (exp, iat, nbf) render as both unix and human-readable with a countdown.

Verify uses WebCrypto to check HMAC signatures (HS256/HS384/HS512) against your secret. RS/ES/PS algorithms require a public key and are not supported in this tool.

Builder creates demo tokens with arbitrary payload (unsigned — do not use in production).

Diff compares two tokens and highlights changed / added / removed claims — handy for debugging refresh flows.

Shortcuts: ⌘1/2/3 switch tabs · ⌘Enter copy payload · ⌘K clear.