JWT Decoder

Q: Is it safe to paste my JWT here?

Yes. The token is decoded entirely in your browser — no part of the token is sent over the network. Open DevTools → Network to confirm zero outbound requests.

Decode only · no verification

JWT Token

Decoded

Paste a JWT token on the left to decode it

Why use a private JWT decoder?

A JWT (JSON Web Token) contains your user's identity, roles, and session claims. Pasting it into an online decoder means transmitting a live bearer credential to a third-party server. Even if the token is short-lived, that window is enough for it to be logged, replayed, or harvested.

formatvault decodes the base64url-encoded header and payload sections directly in your browser. Nothing is transmitted — not the token, not the claims, not the signature. The decode happens in the same JavaScript context as your other browser tabs.

How it works

A JWT is three base64url-encoded sections separated by dots: header.payload.signature. The decoder splits on the dots, base64url-decodes each section, and parses the resulting JSON.

The signature is displayed as-is but never verified — signature verification requires the secret key and is intentionally out of scope. This tool is for inspecting and debugging tokens, not validating them in production.

Common use cases

Inspecting the claims inside a token returned by your auth provider (Auth0, Cognito, Okta)
Debugging expiry issues — the exp and iat claims are displayed as human-readable timestamps
Checking which roles or scopes are encoded in the payload during development
Verifying that your backend is signing tokens with the correct algorithm (RS256, HS256)
Reading tokens in CI/CD pipelines or during incident response without using a web service
Teaching JWT structure to developers new to token-based authentication

Frequently asked questions

Is it safe to paste my JWT here?: Yes. The token is decoded entirely in your browser using the Web Crypto API — no part of the token is sent over the network. Open DevTools → Network to confirm zero outbound requests.
Does this verify the signature?: No. Signature verification requires the secret or public key used to sign the token. This tool only decodes and displays the header and payload. Never trust a token's claims in production without verifying the signature server-side.
Why does the expiry say my token is already expired?: JWT timestamps are Unix epoch seconds (not milliseconds). The decoder converts exp and iat to human-readable local time automatically. If it shows expired, the token genuinely has a past expiry — check your token refresh logic.
What algorithms does this support?: The decoder works with any JWT regardless of the signing algorithm (HS256, RS256, ES256, etc.) because decoding the payload does not require the key. The alg field in the header tells you which algorithm was used to sign it.
Can I decode tokens that contain sensitive user data?: Yes — that is exactly the use case this tool is designed for. Because nothing leaves your browser, you can safely decode tokens containing PII, user IDs, or internal role assignments without exposing them to a third party.

Why use a private JWT decoder?

How it works

A JWT is three base64url-encoded sections separated by dots: header.payload.signature. The decoder splits on the dots, base64url-decodes each section, and parses the resulting JSON.

Common use cases

Inspecting the claims inside a token returned by your auth provider (Auth0, Cognito, Okta)

Debugging expiry issues — the exp and iat claims are displayed as human-readable timestamps

Checking which roles or scopes are encoded in the payload during development

Verifying that your backend is signing tokens with the correct algorithm (RS256, HS256)

Reading tokens in CI/CD pipelines or during incident response without using a web service

Teaching JWT structure to developers new to token-based authentication

Frequently asked questions

Is it safe to paste my JWT here?

Yes. The token is decoded entirely in your browser using the Web Crypto API — no part of the token is sent over the network. Open DevTools → Network to confirm zero outbound requests.

Does this verify the signature?

No. Signature verification requires the secret or public key used to sign the token. This tool only decodes and displays the header and payload. Never trust a token's claims in production without verifying the signature server-side.

Why does the expiry say my token is already expired?

JWT timestamps are Unix epoch seconds (not milliseconds). The decoder converts exp and iat to human-readable local time automatically. If it shows expired, the token genuinely has a past expiry — check your token refresh logic.

What algorithms does this support?

The decoder works with any JWT regardless of the signing algorithm (HS256, RS256, ES256, etc.) because decoding the payload does not require the key. The alg field in the header tells you which algorithm was used to sign it.

Can I decode tokens that contain sensitive user data?

Yes — that is exactly the use case this tool is designed for. Because nothing leaves your browser, you can safely decode tokens containing PII, user IDs, or internal role assignments without exposing them to a third party.