Encode / Decode
JWT Decoder
Inspect JWT headers and payloads locally.
About JWT Decoder
JWT Decoder displays token headers and payload claims so you can inspect issuer, audience, expiry, and custom claims while debugging authentication flows.
Common uses
- Check whether an access token has expired.
- Inspect scopes or roles returned by an identity provider.
- Compare header algorithm and key ID values during integration work.
Good to know
Decoding a JWT does not prove it is valid or trusted. Signature verification must happen with the correct key in your application or identity system.
How to inspect a token
Decode the header first to see the algorithm and key ID, then review the payload claims for issuer, audience, subject, scopes, roles, issued time, and expiration.
Security boundary
A decoded JWT is only readable, not trusted. The signature, issuer, audience, clock skew, and key rotation rules must be verified by the identity library or backend that accepts the token.
Common mistakes
Do not paste production tokens into tickets, chat, or screenshots. Even expired tokens can reveal account IDs, tenant names, internal scopes, and application structure.
Before you rely on the output
- Check whether the source expects a full document, a URL component, bytes, Unicode text, or another encoding boundary before copying the result.
- Privacy mode: inputs are processed locally in your browser and are not intentionally sent to an application server.
