Paste multiple JSON Web Tokens, one per line, and decode all of them at once — header, payload, and expiry status for each. Runs entirely in your browser using atob(); nothing is sent anywhere.
Decoding a JWT and verifying it are different operations. The header and payload of a JWT are Base64URL-encoded, not encrypted — anyone can decode them without any key, which is exactly what this tool does. Verifying a signature requires the secret or public key used to sign the token, which this tool never asks for and never needs. Don't treat a successfully "decoded" token as proof it's valid or untampered — that requires signature verification on the server side, with the actual signing key.
Every other JWT decoder found in a search decodes one token at a time. That's fine for a single debugging session, but if you're auditing a batch of tokens — checking which ones in a list are expired, comparing claims across several user sessions, or reviewing tokens exported from logs — pasting them one by one into a single-token tool is exactly the repetitive task this site exists to remove.
Decoding itself never leaves your browser — you can confirm this in your Network tab. That said, treat any tool (including this one) with caution for tokens carrying real permissions: the safest habit is to test with expired or throwaway tokens where possible, and to check the network tab yourself rather than take any tool's word for it.
It tells you which algorithm was used to sign the token (e.g. HS256, RS256). A known and historically serious JWT vulnerability involves attackers changing this field to none or manipulating algorithm confusion between symmetric and asymmetric schemes — if you're implementing JWT verification yourself, never trust the alg field from the token to decide how to verify it; pin the expected algorithm in your verification code instead.
It's flagged as invalid rather than silently skipped, so a typo or a stray blank line doesn't quietly disappear from your batch results.
No — this handles standard signed JWTs (JWS), which is what you'll encounter in the vast majority of authentication flows. JWE (encrypted JWTs) require the recipient's private key to decrypt and are a separate, less common format.