JWT Decoder

Inspect a compact JSON Web Token locally, understand registered claims, and keep the distinction between decoding and verification explicit.

Local processingYour input stays in this browser tab.

Encoded token

Paste a compact JSON Web Token

0 charactersKept in this tabCtrl/⌘ Enter decodes

Decoded outputs

Decoded JSON, Java record model, and verification snippets

Header and payloadDecoded JSON appears here. The signature is never treated as verified.
Waiting for a compact JWT

A decoded JWT is not a trusted JWT

JWT header and payload segments are Base64URL-encoded, not encrypted. Anyone can create readable segments. Signature verification requires the expected algorithm and a trusted key obtained through a secure, application-specific process.

PayloadHarbor intentionally does not accept signing secrets, fetch remote JWKS documents, or label tokens as valid. Use your application's authentication library to verify a token before trusting its claims.

Common registered claims

  • iss identifies the issuer.
  • sub identifies the token's subject.
  • aud identifies intended recipients.
  • iat, nbf, and exp are NumericDate values in Unix seconds.

Handling tokens safely

Prefer synthetic or redacted tokens for debugging. Even with browser-local processing, tokens can be exposed through malicious extensions, clipboard managers, screen sharing, device compromise, or accidental logging elsewhere. Never treat a decoded payload as proof of identity or authorization.