JWT Decoder & Inspector
Paste any JWT token to instantly decode its header, payload, and claims — everything runs in your browser.
Paste a JWT to decode it
The token is decoded entirely in your browser. Nothing is sent to any server.
// FAQ
What is a JWT?
A JSON Web Token is a compact, URL-safe format for asserting claims between parties. It has three parts — header, payload, signature — separated by dots and encoded with base64url.
Is it safe to paste my JWT here?
Yes — all decoding happens locally in your browser. Nothing is sent to our servers, logged, or stored. That said, avoid pasting production access tokens into any online tool if you can help it.
Can this tool verify JWT signatures?
Yes. The Verify tab checks HMAC (HS256/384/512) signatures with your secret, and RSA, ECDSA, or PSS signatures with a PEM or JWK public key, all in your browser via WebCrypto. It can also fetch a JWKS URL to pick the right key. Your production apps should still verify server-side.
Building an app with JWT authentication?
CODERCOPS implements secure auth systems — OAuth2, JWT, SSO, and custom identity solutions — for startups and enterprise apps.