Decode JWT without uploading (keep tokens private)

Why this matters

A JWT is not “just a string”. In many systems it is effectively a bearer credential: if someone gets the token, they may be able to call APIs as the user or service.

Upload-based online decoders can log your input, store it in analytics, or leak it through browser extensions. A no-upload workflow keeps the token on your device.

What JWT contains (quick map)

• Header: algorithm and token type (e.g. alg, typ).
• Payload: claims (e.g. sub, aud, iss, exp).
• Signature: proves integrity (but decoding does not verify it).

Safe workflow (no upload)

1. Decode locally using a browser-only tool. This lets you inspect header/payload without sending data to a server.
2. Inspect key claims: check exp (expiry), iat (issued at), aud (audience), iss (issuer), and any custom fields.
3. Verify on backend: treat decoded values as untrusted until your backend verifies the signature and checks issuer/audience/expiry.

Common pitfalls

• “It decoded, so it’s valid” is false. Decoding is not verification.
• Private data in claims: avoid embedding secrets in JWT payloads (they are readable).
• Base64url: JWT uses base64url (-/_), not standard base64.

FAQ

Can I trust what I see after decoding? You can read it, but don’t trust it for authorization decisions until verified.

Does decoding make network requests? Not on this site. All processing happens locally in your browser. Files are never uploaded.

Local verification snippet

Run a quick local check before export/convert:

const normalized = token.trim().replace(/-/g, '+').replace(/_/g, '/');
const padded = normalized + '='.repeat((4 - (normalized.length % 4)) % 4);
const raw = atob(padded);
console.log(raw.slice(0, 120));