Complete Privacy & Local Processing
All decoding, validation, and resigning processes are performed locally in your browser's JavaScript (using Web Crypto API). Sensitive keys and tokens are never sent over the network.
100% Client-side processing. Your data never leaves your browser.
Decode JWT tokens, inspect expiration in real-time, edit claims, and resign using an HS256 secret key entirely in your browser.
A secure, browser-based utility for decoding, editing, and resigning JSON Web Tokens (JWT) without sending any data to a server.
All decoding, validation, and resigning processes are performed locally in your browser's JavaScript (using Web Crypto API). Sensitive keys and tokens are never sent over the network.
It automatically detects the `exp` (expiration claim) in the Payload, converts it to readable local date-time, and shows a real-time countdown. Alerts you if the token has expired.
Modify claims directly inside the Payload JSON editor. For HS256 (HMAC-SHA256), enter the secret key to instantly regenerate and sign a new JWT, ready for copy in one click.
JWT (JSON Web Token) is a compact token format that represents user authentication and authorization information in JSON form, with a signature attached for tamper detection. A JWT Decoder is a tool that restores this string back into its original JSON structure, allowing you to inspect its contents.
In modern web applications, SPAs, and mobile apps, JWT is the core of major authorization and authentication frameworks such as OAuth 2.0 and OpenID Connect (OIDC). Most access tokens and ID tokens issued by servers after login are in JWT format. This token is exchanged with every API request to maintain the user's authentication state and permissions.
A common misunderstanding among developers is that JWT is "encrypted". In reality, JWT consists of three parts — Header, Payload, and Signature — each merely encoded using the Base64Url scheme. This means that decoding (jwt復号 in Japanese) requires no secret key; anyone can read the contents. JWT's security is ensured by the Signature mechanism, which verifies that the content has not been tampered with, not by hiding the content. Understanding this property correctly is crucial for security design around authentication.
In practical troubleshooting, situations where you need to "quickly check the contents of a token" arise frequently. When a 401 Unauthorized error occurs during API integration or login implementation, you need to rapidly determine whether the token's exp (expiration) has already passed, or whether the required scopes and user attribute claims are correctly included — all through jwt payload inspection.
The moment you paste a JWT string into the input field, it is automatically split into the Header, Payload, and Signature sections — without pressing any button — and displayed as structured JSON. For jwt online or jwt decoding tasks, the ability to inspect the contents immediately with just a copy & paste keeps your debugging speed uninterrupted.
Beyond serving as an access token decoder, you can inspect the contents of any JWT-format token — including ID tokens and refresh tokens — on the same screen.
Within the JWT Payload, time-related information such as exp (expiration), iat (issued at), and nbf (not before) are all stored as Unix timestamps (numeric values). Looking at these numbers alone, it is not intuitive to understand when the token was issued or when it expires.
Our tool automatically detects these timestamp claims and converts them into human-readable JST/UTC date-time formats alongside the raw values. When performing a jwt expiration check, this eliminates the need to manually convert Unix timestamps, letting you see at a glance whether "this token has already expired."
Following common JWT display conventions, the Header, Payload, and Signature sections are color-coded. Since the corresponding parts in the raw token string and the decoded JSON sections are linked by the same colors, you can visually understand "which string corresponds to which information" while being aware of JWT's structure. This design also helps developers who are just learning about the three-part structure of JWT to better understand the format.
JWT Payloads contain highly sensitive information — user IDs, email addresses, group memberships, and permission data — that could enable impersonation if exposed. Pasting a live authentication token with an active session into an online tool that sends data to an external server poses a direct risk of session hijacking or data leakage, and is prohibited by many organizations' security policies.
All JWT data entered into our tool is processed exclusively within your browser using JavaScript. No data is ever transmitted to or stored on an external server. From a "safe jwt decode online" standpoint, you can verify this yourself by opening your browser's Developer Tools (Network tab) while using the tool. Because no server communication ever occurs, there is structurally no risk of your pasted token being recorded by any third-party server.
No account registration or app installation is needed. Simply access it from your browser and start using it immediately — with no ad interruptions, no usage limits, and no sign-up barriers. As a free jwt tool, the ability to launch it from a bookmark in under a second while investigating authentication errors helps you stay focused on identifying the root cause without slowing down your workflow.
A JWT Decoder is a tool that decomposes a JSON Web Token string into its three constituent parts — Header, Payload, and Signature — and restores them into a readable JSON format. It is used during authentication debugging to quickly inspect the user information, expiration time, and other claims contained within the token.
No, it is not encrypted. The Header and Payload of a JWT are merely encoded using the Base64Url scheme, meaning anyone without a secret key can still read the contents. JWT's security is ensured by the Signature mechanism, which verifies that the content has not been tampered with. It is not an encryption technology designed to hide the content — please keep this distinction in mind.
All JWT data entered into our tool is processed exclusively within your browser. It is never sent to or stored on our servers or any third-party servers. You can verify this yourself by opening your browser's Developer Tools (Network tab) to confirm that no external communication occurs. However, please handle tokens with active sessions with the same care you would apply to any sensitive business data.
exp stands for Expiration Time, a claim indicating how long the token remains valid as a Unix timestamp. iat stands for Issued At, representing when the token was issued. Our tool automatically detects these numeric values and displays them alongside human-readable JST/UTC date-time formats, so you can check for expiration at a glance.