Decode JWT Token Offline
Decode and inspect a JSON Web Token entirely in your browser, with no internet connection required after the page loads. Paste your JWT and see the header and payload immediately. All decoding runs locally using standard JavaScript.
VIEW
How it works
A JWT consists of three Base64URL-encoded parts separated by dots. The tool splits the token, fixes URL-safe base64 encoding (replacing - with + and _ with /), pads to a multiple of 4 characters, then decodes with atob() and parses with JSON.parse(). All of this runs in your browser. Our servers are not involved.
Processing runs in your browser
Your JWT is decoded entirely in your browser. Our servers are not involved at any point. Treat tokens as sensitive credentials and avoid pasting production tokens in shared or public environments. You can check this yourselfin your browser's DevTools Network tab.
Technical specification
JSON Web Token (JWT) is defined in RFC 7519 (IETF, 2015). A JWT consists of three Base64url-encoded sections separated by .: header, payload, and signature. Base64url encoding is defined in RFC 4648 §5, which substitutes + with - and / with _ and omits padding, making it safe for use in URLs without percent-encoding. Signed JWTs (JWS) are specified separately in RFC 7515.
- Structure
- header.payload.signature (3 Base64url parts)
- Standards
- RFC 7519 (JWT), RFC 7515 (JWS), RFC 4648 (Base64url)
- Header claims
alg(algorithm),typ(token type)- Common payload claims
sub,iss,exp,iat,aud
Related operations
To inspect the raw Base64 segments of a token, try Base64. For verifying the signing input by hash, use the hash generator. To pretty-print decoded payloads, see the JSON formatter.
Frequently asked questions
- How does offline JWT decoding work?
- JWT tokens consist of three Base64URL-encoded sections separated by dots. Your browser decodes each section using the standard atob() function and JSON.parse(). No server, no library download, no network request.
- Why is it important to decode JWTs without uploading them?
- JWT tokens often contain user IDs, session credentials, and role claims. Pasting a token into a server-based tool means the server operator can read all of that information. Decoding locally means only your browser sees the token contents.
- Does this tool verify the JWT signature?
- Signature verification requires the secret or public key. This tool decodes the header and payload only. It does not validate whether the token's signature is correct.
- Can I use this tool without an internet connection?
- Yes. After the page loads, all decoding runs locally. You can disconnect from the internet and the tool continues to work.