CalculatorsConvertersDeveloperTextAll toolsDirectory
Submit your tool Sign in
Theme
Home/Answers/Developer
How-to

How do I decode a JWT token safely?

Short answer

Decode a JWT with a browser-based decoder that parses the token on your own device, so the token and its claims are never sent to a server. It shows the header and payload instantly and is safe to use with real tokens because nothing is transmitted or logged.

A JWT is sensitive, treat it that way

A JSON Web Token often carries a user id, session information and scopes, and it is effectively a live credential until it expires. Pasting a real token into a website that decodes it server-side hands your credential to that site. A client-side decoder splits and base64-decodes the token in your browser, so the token never leaves your machine.

What you can read from it

Decoding shows the header (algorithm and type) and the payload (the claims), which is enough to check expiry, issuer and scopes while debugging. Note that decoding is not the same as verifying the signature, which requires the secret or public key.

Frequently asked questions

Is my token sent anywhere?

No. The token is decoded entirely in your browser and is never transmitted or stored.

Does it verify the signature?

Decoding reveals the header and payload; verifying the signature separately requires the signing key.

Can I decode expired tokens?

Yes. Decoding works regardless of expiry, which is useful for debugging.

Related answers