JWT Decoder — Decode and Inspect JWT Tokens Securely in Your Browser
Decode JWT tokens and inspect headers, payloads, and signatures without sending them to any server. Free, private, works offline.
JWT (JSON Web Token) is the authentication standard used by virtually every modern web application and API. When debugging auth issues, inspecting token claims, or understanding token structure, you need a decoder that’s fast and — critically — doesn’t send your tokens to a third-party server. SimpleTools JWT Decoder decodes JWTs entirely in your browser.
What Is a JWT?
A JWT is a compact, URL-safe token consisting of three Base64url-encoded parts separated by dots:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyMTIzIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzIwMDAwMDAwLCJleHAiOjE3MjAwMDM2MDB9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cPart 1 — Header: Algorithm and token type
{
"alg": "HS256",
"typ": "JWT"
}Part 2 — Payload: Claims (the actual data)
{
"sub": "user123",
"name": "Jane Doe",
"iat": 1720000000,
"exp": 1720003600
}Part 3 — Signature: A cryptographic signature that verifies the token hasn’t been tampered with (requires the secret key to verify)
Critical Security Warning: Never Paste JWTs into Unknown Tools
A JWT is your identity token. Pasting a live, unexpired JWT into a third-party website is equivalent to handing over your session credentials. If the website logs your token, an attacker could use it to impersonate you for as long as the token is valid.
SimpleTools JWT Decoder is different because:
✅ Your token never leaves your browser tab — no server receives it
✅ Works offline — decode tokens without internet access
✅ Open to inspection — the tool is client-side JavaScript that you can verify
✅ No accounts or storage — your tokens aren’t saved anywhere
How JWT Decoding Works
JWTs don’t need the secret key to be read — only to be verified. The header and payload are simply Base64url-encoded JSON. Decoding is just:
const [header, payload, signature] = token.split('.');
const decodedHeader = JSON.parse(atob(header.replace(/-/g, '+').replace(/_/g, '/')));
const decodedPayload = JSON.parse(atob(payload.replace(/-/g, '+').replace(/_/g, '/')));The tool handles Base64url padding correctly and displays both parts as formatted JSON.
Signature verification requires the secret (HMAC) or public key (RSA/ECDSA). The tool can verify HMAC signatures if you provide the secret key — and again, this is done entirely in JavaScript using the Web Crypto API, never on a server.
How to Use the JWT Decoder
- Visit simpletools.one/jwt-decoder
- Paste your JWT token into the input field
- The header and payload are decoded and displayed instantly as formatted JSON
- Key claims are highlighted:
- exp (expiration) — shown as a human-readable date/time
- iat (issued at) — when the token was issued
- sub (subject) — the user identifier
- iss (issuer) — who issued the token
- An expiration status indicator shows whether the token has expired
- Optional: Enter your HMAC secret to verify the signature
Common JWT Claims Explained
| Claim | Full Name | Meaning |
|---|---|---|
sub | Subject | User ID or entity the token represents |
iss | Issuer | Who created the token (e.g., your auth service) |
aud | Audience | Intended recipients of the token |
exp | Expiration | Unix timestamp when the token expires |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Unix timestamp before which the token is invalid |
jti | JWT ID | Unique identifier to prevent token replay |
Who Uses This Tool?
- Backend developers debugging authentication issues — inspecting token claims without running code
- Security engineers auditing token payloads for sensitive data leakage
- Front-end developers understanding what’s in the token their application receives
- DevOps engineers inspecting service account tokens in Kubernetes or cloud environments
- Students learning how JWT authentication works
Decode your JWT tokens securely at simpletools.one/jwt-decoder — your tokens never leave your browser.