JWT Decoder
Paste a JWT and read its header, payload, and signature — with humanized timestamps and an expiry banner. Runs entirely in your browser, because a JWT is a credential.
Your token never leaves your browser. We do not transmit, log, or store it.
How to decode a JWT online
Paste your JWT into the textarea. ToolChop splits it on the two dots, base64url-decodes the header and payload, and renders each as syntax-highlighted JSON. Common timestamp claims (exp, iat, nbf) are detected and rendered as human-readable UTC dates inline. A status banner tells you instantly whether the token is valid, expired, not yet valid, or unsigned.
Why a local JWT decoder matters
A JWT is a bearer credential — whoever holds the token can authenticate as the user it was issued for, until it expires. Pasting a live token into a third-party online decoder is equivalent to handing that party an active session. ToolChop's decoder runs entirely in your browser; the token is not transmitted, logged, or cached on any server. You can verify in DevTools → Network that no request fires when you paste.
Decoding is not verification
Decoding a JWT is base64 — anyone can do it. Verifying a JWT requires the signing key (HMAC secret or public key), which lives on your server. ToolChop deliberately does not offer verification: any tool that claims to verify a JWT in the browser requires you to paste your signing key, which is itself a credential and an even worse leak than the token. Verification belongs in your backend.
What you can do
- Decode header, payload, and signature into syntax-highlighted JSON
- See humanized timestamps for
exp,iat,nbf - Get a valid / expired / not-yet-valid status banner instantly
- Detect
alg: nonetokens - Copy any segment as raw JSON with one click
Frequently asked questions
How do I decode a JWT online for free?
Paste your JWT into the textarea. ToolChop splits it on dots, base64url-decodes the header and payload, and shows both as syntax-highlighted JSON with humanized timestamps for exp/iat/nbf. No account, no upload, no daily limit.
Does ToolChop send my JWT to a server?
No. Decoding runs entirely in your browser using the built-in atob and JSON.parse functions. Your JWT never leaves your device — this is the single most important property for any JWT tool, because a JWT is a credential. If a third party gets your token, they get your session.
Why is the privacy story for JWTs so important?
A JWT is a bearer token — anyone who holds it can authenticate as the user it was issued for, until it expires. Pasting a live JWT into a tool that logs requests, caches them in a CDN, or sends them across a network is equivalent to handing someone the keys to that session. ToolChop's decoder runs entirely in your browser so the token never goes over the wire.
What is a JWT made of?
Three base64url-encoded segments separated by dots: header.payload.signature. The header says what algorithm signed the token (e.g. HS256, RS256). The payload (also called claims) carries the user info and metadata like exp and iat. The signature proves the token was signed by the issuer with the correct key.
Can ToolChop verify a JWT signature?
No, and no in-browser tool truly can without the signing key. Verification requires the secret (HMAC) or public key (RSA / ECDSA / EdDSA) the issuer used. Verifying a token should happen on your server with your stored key — never in a browser tool. ToolChop decodes the parts so you can inspect the claims; for verification, use the JWT library on your backend.
Why are the exp / iat timestamps formatted as dates?
JWT timestamps are seconds since 1970 — unreadable as raw numbers. ToolChop detects exp, iat, nbf, auth_time, and updated_at and renders the equivalent UTC date inline so you can immediately see when a token was issued and when it expires.
How can ToolChop tell me the token is expired?
It compares the payload's exp claim against the current time in your browser (Math.floor(Date.now() / 1000)). If exp is in the past, ToolChop shows an Expired banner with how long ago the token expired. No clock sync with a server required — the comparison is purely local.
What does it mean if my token has no signature segment?
JWTs signed with alg: none have no signature segment — the third dot is followed by an empty string. These are unsigned tokens and should be rejected by any verifier in production. ToolChop flags them so you can spot them quickly.
Can I decode a JWE (encrypted JWT)?
No. A JWE has five base64url segments separated by dots (versus three for a JWS / standard JWT) and is encrypted with a recipient key. You cannot decode it without the decryption key. ToolChop only handles signed JWTs (JWS), which is what 99% of APIs issue.
What if my JWT has unusual whitespace or line breaks?
ToolChop trims surrounding whitespace before parsing, so pasting from copy/clipboard usually works even if the token wraps. If the token is split across lines with characters between segments, remove the line breaks and the join token first.
Are URL-safe characters handled correctly?
Yes. JWTs use base64url encoding (RFC 4648 §5), which uses - and _ instead of + and / and omits = padding. ToolChop normalizes - to +, _ to /, and adds back the right amount of padding before decoding.
Why use ToolChop instead of jwt.io or another online decoder?
Privacy and discipline. JWTs are credentials — pasting one into any tool whose source you have not audited is risky. ToolChop's decoder runs entirely in your browser (you can verify by opening DevTools → Network), so the token is never transmitted. We also do not advertise verification — verification must happen on your server with your key, and any tool that 'verifies' a JWT in the browser is misleading you.