JWT Decoder
Decode the header and payload of a JSON Web Token locally in your browser. The signature is shown but not verified — no keys leave the page.
How to Use the JWT Decoder
- Paste a JWT token (three dot-separated segments).
- Click Calculate to see decoded header and payload.
- Verify signature separately with your signing key.
使用例
- •Debugging OAuth / OIDC flows.
- •Inspecting session tokens during QA.
- •Reading claims without touching production infrastructure.
計算式
JWT = base64url(header) . base64url(payload) . base64url(signature). Each segment is base64url-decoded using atob after replacing -/_ with +/ and padding to a multiple of 4.
よくある質問
Is the signature verified?
No. This tool only decodes. To verify, you must run HMAC/RSA/ECDSA with the issuer public key — which is why this decoder is safe to run on untrusted tokens.
Is it safe to paste real tokens here?
Decoding happens entirely in your browser; nothing is sent anywhere. Still, treat production tokens as secrets and consider revoking them after debugging.
Why does my token fail to decode?
Most likely it has stray whitespace, a missing dot, or the signature segment was truncated. Ensure the token has exactly three dot-separated parts.