Skip to content
CrateX.app logo

CrateX.app

JWT Decoder

Decode standard three-part JWTs locally, inspect formatted header and payload JSON, copy the raw signature, and check exp/nbf/iat timing without verification.

Input Text

Characters

0 / 16,000

Note: this tool only decodes and displays the token. It does not verify the signature, and decoded claims can be forged until a trusted backend validates them.
JWT Decoder

Quick Start

1
Paste the complete JWT with three dot-separated parts.
2
Read Header and Payload JSON; Signature is shown raw, not verified.
3
Check exp/nbf/iat against local and UTC time.
4
Copy the needed part; clear sensitive tokens when finished.

Common Scenarios

API debugging

Quickly inspect token content and compare claims

Expiration check

Inspect exp and nbf for expired or not-active timing

Learning JWT

Understand Header/Payload structure and Base64URL encoding

Environment comparison

Compare tokens across dev/test/prod environments

Usage Advice

Decoded payload is readable, not trusted. Production systems must verify the signature and validate iss, aud, sub, scope, and revocation rules on the backend.
Avoid pasting tokens with sensitive data on public devices
Time fields are Unix timestamps (seconds); the tool converts them to local and UTC time

Decoder Contract

The input must be a compact three-part JWT in the form header.payload.signature. JWE five-part tokens and custom token formats are outside this decoder.
Header and Payload are Base64URL-decoded as UTF-8 and then parsed as JSON. If either part is not valid Base64URL or JSON, the source input stays in place and the result shows the matching error.
The Signature panel shows the raw third segment only. No secret, public key, JWK, JWKS, or Web Crypto verification is performed here.

Security Boundary

JWT decoding runs locally in your browser. Token input may stay as a browser draft. If a saved workspace or WebDAV sync is enabled, the token input may be saved through that sync. Header, Payload, Signature display data, claim time cards, parse errors, copy state, and undo history are derived from the current token and are not saved as separate result data. This tool does not verify signatures, fetch JWKS or URLs, upload tokens, create attachments, or create decoded-file downloads. On a shared device, clear the token and site data when finished.
If the token contains sensitive information, use a private device and clear the input after inspection.
Decoding only makes claims readable. It does not prove the token was issued by your server, accepted by an API, or safe to trust.
alg, kid, iss, aud, sub, scope, roles, and jti are shown as plain JSON fields. Validate them with your backend, issuer metadata, keys, audience rules, and revocation policy.
Time status uses exp and nbf with your local clock. Server clock skew, grace periods, session revocation, and refresh-token state can change the real result.
Unsupported here: signature verification, secret or public-key input, JWK/JWKS lookup, OIDC discovery, OAuth introspection, JWE decryption, nested JWT parsing, token generation, and server-side validation.

Limitations & Compatibility

Only Base64URL decoding—no signature verification
Only standard 3-part JWT supported; JWE or custom formats not supported
Nested JWTs (JWT inside payload) are not processed
The time status is not a complete validity check. A token can be not expired and still be rejected by the server.
This page offers copy actions only. It does not download, export, save, or share decoded token files.

Privacy & Security

JWT decoding runs locally in your browser. Token input may stay as a browser draft. If a saved workspace or WebDAV sync is enabled, the token input may be saved through that sync. Header, Payload, Signature display data, claim time cards, parse errors, copy state, and undo history are derived from the current token and are not saved as separate result data. This tool does not verify signatures, fetch JWKS or URLs, upload tokens, create attachments, or create decoded-file downloads. On a shared device, clear the token and site data when finished.
If the token contains sensitive information, use a private device and clear the input after inspection.

FAQ

6

Continue with these related tools for the next step.

About

About Us
Pricing

Legal

Terms
Privacy Policy
Cookie Policy

Preferences

Manage Cookies

All tool processing happens locally in your browser.