Skip to content
ZeroServer.tools

JWT Decoder

Decode JSON Web Tokens instantly. Tokens are never sent to a server.

What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature structure, enabling the claims to be digitally signed.

Why you should never use server-side JWT decoders

JWTs often contain sensitive user session data or authentication tokens. Pasting them into third-party, server-backed websites is a massive security risk. ZeroServer's JWT Decoder splits and decodes your token's Base64Url header and payload directly within your DOM, keeping your authentication data strictly on your machine.

Frequently Asked Questions

What is a JWT?
A JSON Web Token has three parts (header.payload.signature) separated by dots. The header describes the algorithm; the payload carries claims (user id, expiry, roles); the signature proves the token hasn't been tampered with.
Is it safe to decode a JWT here?
Yes. Decoding reads the Base64URL-encoded header and payload — they contain no secret. Sensitive data should never be in a JWT payload unless the whole token is JWE-encrypted. The signature is not verified by this tool.
Why does this tool show my token as expired?
The 'exp' claim is a Unix timestamp. The tool compares it to the current time — if exp is in the past, the token has expired. Tokens typically expire in minutes to hours to limit the window of misuse.
Can I modify a JWT payload and have it accepted by a server?
No. You can decode and re-encode the payload, but the signature becomes invalid without the server's secret key. Any server that verifies signatures will reject a manually modified token.
What's the difference between HS256 and RS256?
HS256 uses a shared secret (HMAC-SHA256) — both sides know the same key. RS256 uses an RSA key pair — the server signs with a private key and verifies with a public key. RS256 is safer when multiple services need to verify tokens.

Private & free — this tool runs entirely in your browser.

Recommended: IndieKit Ship your Next.js startup in days.affiliate

Related Cryptography & Security tools