JWT Decoder — Inspect JSON Web Tokens Online
Paste a JWT to decode its header, payload, and check expiration.
How It Works
- 1Paste your JWT into the input area.
- 2The header, payload, and signature are decoded automatically.
- 3Inspect the claims — the token never leaves your browser.
About JWT Decoder
JSON Web Tokens (JWTs) are the industry standard for authentication and authorization across modern web applications and APIs. A JWT contains three Base64URL-encoded sections — the header (algorithm and token type), the payload (claims like user ID, roles, and expiration), and the signature. This tool splits a JWT into its three parts, decodes the header and payload, and displays the JSON content with syntax highlighting for easy reading. It automatically checks the exp (expiration) and iat (issued at) claims and warns you if the token is expired. This is essential for developers debugging authentication flows, inspecting tokens returned by OAuth providers, verifying that tokens contain the expected claims, and troubleshooting authorization issues in API integrations. Simply paste your JWT and see the decoded contents instantly — no need to manually Base64-decode each section. The tool also shows the algorithm used for signing (HS256, RS256, etc.) so you can verify it matches your expectations.
From the blog
- 12 min read
10 Free Browser-Based Developer Tools You Didn't Know Existed
JSON formatting, regex testing, JWT decoding, hash generation — ten utilities every developer reaches for, all running locally in your browser with zero install.
- 8 min read
Why Browser-Based Tools Are More Private Than Online Converters
Most online converters upload your files to a server. Browser-based tools never do. Here's exactly what changes for your privacy — and how to verify it yourself.
Frequently Asked Questions
Can this tool verify JWT signatures?
This tool decodes and displays the JWT header and payload, and checks expiration. It does not verify cryptographic signatures — that requires the signing secret or public key, which should never be pasted into a web tool.
Is my JWT token sent to a server?
No. The decoding happens entirely in your browser. Your token never leaves your device.
What are the three parts of a JWT?
A JWT is three Base64URL-encoded segments separated by dots: header (algorithm and token type), payload (your claims like sub, iat, exp), and signature (the HMAC or RSA signature over the first two segments).
Is my file uploaded to a server?
No. Transmute processes everything locally in your browser using JavaScript and the Canvas API. Your files never leave your device — there is no server, no upload, no cloud processing.
Related Tools
Base64 Encode/Decode
Encode and decode Base64 strings or files. Round-trip text, binary data, and images without any server upload — Web Crypto powered.
JSON Formatter
Format, validate, and minify JSON with syntax highlighting. Pinpoint syntax errors with precise line numbers — perfect for debugging API responses.
Hash Generator
Generate SHA-1, SHA-256, SHA-512, and MD5 hashes from text or files. Use for integrity checks, fingerprints, and quick deduplication.
URL Encode/Decode
Encode and decode URLs, query strings, and form parameters. Handles unicode, reserved characters, and percent-encoding correctly.