Decode a JWT online, without leaking your data

A JWT (JSON Web Token) is a widely used token format for authentication and secure information exchange between services. If you build an API or integrate an identity provider, you will inevitably need to inspect one.

The structure of a JWT

A JWT is made of three dot-separated parts:

• Header — the signing algorithm (e.g. HS256 or RS256) and the token type.
• Payload — the claims, the data carried by the token (user id, expiry exp, issuer iss…).
• Signature — proof the token has not been tampered with, computed with a secret key.

The first two parts are simply base64url-encoded. They are not encrypted: anyone can read them. Never store sensitive information in clear text in the payload.

Decode a JWT privately

Many online tools decode a JWT… by sending it to their server. For a production token, that is a potential data leak.

The Toolab JWT decoder runs entirely in your browser: the token is never transmitted. You can also verify the HS256 signature by providing the key, again client-side.

Best practices

• Always verify the expiry date (exp) on the server side.
• Use a long, random secret key for HS256, or a key pair for RS256.
• Never put a password or banking data in the payload.

Need a strong secret key? The password generator produces secure random strings, right in your browser.