Pulsars

JWT Decoder — Decode JSON Web Tokens Locally

🔒100% client-side — Your tokens never leave your browser. No data is sent to any server.

A JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519 for securely transmitting claims between parties. It consists of three Base64URL-encoded parts separated by dots: Header (algorithm and token type), Payload (claims such as user ID, expiration, and issuer), and Signature (cryptographic verification hash). JWTs are the standard for API authentication, single sign-on (SSO), and stateless session management in modern web applications.

What is a JWT?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a compact, URL-safe string. JWTs are the backbone of modern authentication: when you log into an app, the server issues a JWT that your client sends with every subsequent request to prove your identity.

A JWT looks like this: xxxxx.yyyyy.zzzzz — three Base64URL-encoded parts separated by dots.

What are the three parts of a JWT?

Every JWT consists of three parts:

Why Decode JWTs Locally?

JWTs often contain sensitive information: user IDs, email addresses, roles, permissions, and internal service identifiers. Pasting these tokens into online tools that send data to their servers creates a security risk — the token could be logged, cached, or intercepted.

This tool decodes everything using JavaScript's native atob() function directly in your browser. No network requests are made. You can verify this by opening your browser's DevTools Network tab while using the tool.

Need to encode or decode Base64 data? Try our Base64 encoder/decoder. For converting JSON between formats, check the JSON ↔ YAML converter.

Frequently Asked Questions

Is it safe to paste my JWT here?

+

Yes. This tool decodes your JWT entirely in your browser using JavaScript's built-in atob() function. No data is sent to any server — your token never leaves your device. Unlike some online decoders that send tokens through their servers, Pulsars processes everything locally.

What are the three parts of a JWT?

+

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims — the actual data like user ID, roles, and expiration), and the Signature (cryptographic proof that the token hasn't been tampered with).

Can this tool verify JWT signatures?

+

No. Signature verification requires the secret key (for HMAC algorithms like HS256) or the public key (for RSA/ECDSA algorithms like RS256). Since we don't have access to your keys — and deliberately don't ask for them — we can only decode and display the token contents. Use your backend or a local CLI tool for full verification.

What does the 'exp' claim mean?

+

The 'exp' (Expiration Time) claim is a Unix timestamp indicating when the token becomes invalid. After this time, any system validating the token should reject it. This tool automatically checks whether your token is expired and shows a clear EXPIRED or VALID badge.

What's the difference between JWS and JWE?

+

JWS (JSON Web Signature) is what most people call a JWT — the payload is Base64URL-encoded (readable by anyone) and signed for integrity. JWE (JSON Web Encryption) encrypts the payload so it's not readable without the decryption key. This tool decodes JWS tokens. If you paste a JWE token, the payload will not be readable JSON.

Related Tools

🔣
Base64 Encode / Decode
Encode and decode Base64 strings instantly. Supports standard and URL-safe Base64.
📋
JSON Formatter & Validator
Format, validate, beautify, and minify JSON instantly. Syntax error detection with line numbers.