Glarso

JWT Decoder

Decode JWT headers and payloads on your device — tokens never leave your browser.

Inspect JWTs without shipping them to a third party

Debugging auth means looking inside tokens — and pasting production JWTs, which are live credentials, into a random website is a genuinely bad habit. This decoder splits and Base64-decodes the header and payload on your device, pretty-prints the JSON, and checks the expiry, with nothing sent anywhere.

Bearer prefixes are stripped automatically, so you can paste straight from an Authorization header.

Frequently asked questions

Is it safe to paste a real token here?

Yes — that's the point of this tool. Decoding happens locally in your browser; the token is never transmitted, logged, or stored. Turn off your network and it still works.

Does it verify the signature?

No. Decoding shows what the token claims (who it's for, when it expires) but doesn't prove it's authentic — verification requires the signing key and belongs on your server.

What are exp and iat?

Standard claims: iat is when the token was issued and exp is when it expires, both as Unix timestamps. The tool converts them to readable dates and flags expired tokens.

More free tools