Tools Developer Tools

← Back to all tools

Free JWT Decoder

Decode and inspect JSON Web Tokens. Everything happens in your browser. No login. No upload.

Your JWT never leaves your browser — it's decoded locally with no server, upload, or tracking. This tool decodes structure only and does not verify the signature.

Paste your token

Developer snippets

How to parse, validate, and read claims from a JWT in your stack.

Node

        

How JWT authentication works

A JWT lets an API identify a user without storing a server-side session. Here's the full round trip:

  1. User logs in with username & password
  2. Server verifies the credentials
  3. Server builds the claims (user ID, roles, expiry…)
  4. Server signs header + payload with a secret (HS256) or private key (RS256/ES256)
  5. JWT is returned; the browser stores it
  6. Browser sends Authorization: Bearer eyJ… on each request
  7. API verifies the signature, then checks exp, nbf, iss, aud
  8. If everything checks out, the user is authenticated

Key idea: the server does not trust the payload just because it can decode it. It trusts the claims only after cryptographically verifying the signature with the right key. That's also why changing a single character breaks the token — the signature no longer matches the modified content.

What is a JWT?

A JWT (JSON Web Token) is a digitally signed token that lets applications identify a user and carry claims between systems without keeping session state on the server. It has three Base64URL parts — header.payload.signature — separated by dots.

What's inside?

The header names the signing algorithm and token type. The payload holds the claims (user ID, roles, expiration, custom fields). The signature is a cryptographic value over the header and payload that proves they weren't altered after signing.

Where is a JWT stored?

It depends on the app. In-memory disappears on refresh but is hardest to steal. localStorage is easy but readable by any JavaScript (XSS risk). sessionStorage lasts for the tab. A Secure HttpOnly cookie can't be read by scripts (reduces XSS exposure) but needs CSRF defenses. There's no single "right" answer — it's a tradeoff.

HS256 vs RS256 vs ES256

HS256 uses one shared secret to both sign and verify — simple, but every verifier holds the signing secret. RS256 and ES256 use a key pair: a private key signs and a public key verifies, so you can share verification without sharing the ability to mint tokens. ES256 (elliptic-curve) gives similar security to RS256 with smaller keys and signatures.

Why can't this tool verify the signature?

Verification requires the secret (HS256) or public key (RS256/ES256), which belongs to the issuing server — not the token. So this tool validates structure and decodes the claims, but always shows "Signature not verified." Never trust a token based on decoding alone.

Your data stays in your browser

This tool uses your browser's built-in APIs. Nothing is uploaded, stored, logged, or tracked. There is no account, no watermark, and no external service in the middle — you can even use it offline.

From Balance On Hand

Built by Balance On Hand

Free tools with no login, no upload, and no unnecessary friction — plus a cash-flow planning app that helps you see how bills, subscriptions, loans, income, and spending affect your future balance.