Decodes a JWT header and payload (no signature verification).
The JWT Decoder splits a JSON Web Token on its dots and base64url-decodes the header and payload into readable, pretty-printed JSON. It's handy when you need to inspect a bearer token's claims, algorithm, and expiry while debugging authentication flows. Note that it decodes only and does not verify the signature, so no secret or key is required.
No. Decoding runs entirely in your browser using built-in atob and TextDecoder APIs, so nothing is uploaded and the token never leaves your device.
No. It only decodes the header and payload; the signature is not checked and no secret or key is needed. A decoded payload does not mean the token is valid or trusted.
A JWT in the standard header.payload.signature form, separated by dots. The decoder reads the first two parts (header and payload); at least two parts are required or it reports an invalid JWT.
The header and payload must be valid base64url-encoded JSON. If a segment is truncated, malformed, or not JSON once decoded, parsing fails and an error is shown.
Yes. It converts the URL-safe characters (- and _) back to standard base64 and re-adds the missing = padding before decoding, so unpadded JWT segments work.