Decode JWTs Without
Sharing Your Secret Key
Paste any bearer token to instantly inspect its header, payload and expiry. No secret key needed. Nothing sent to a server.
What Is a JWT Decoder?
A JWT (JSON Web Token) is a Base64-encoded string with three parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, roles, and expiration), and a signature. A decoder extracts and displays the header and payload in readable JSON — no secret key required, because the data isn't encrypted, only encoded.
This tool is useful for debugging expired tokens, inspecting Auth0/Firebase/Okta responses, troubleshooting OAuth2 flows, and verifying claims in mobile apps. Unlike jwt.io and similar tools, this decoder makes no network requests — your token never leaves your browser.
JWT Decoder vs jwt.io — What's the Difference?
| Feature | ResourceCentral | jwt.io | Manual atob() |
|---|---|---|---|
| Token stays on device | ✓ Yes | ⚠ Unclear | ✓ Yes |
| Syntax-highlighted output | ✓ Yes | ✓ Yes | ✗ No |
| Expiry decoded to human time | ✓ Yes | ✓ Yes | ✗ No |
| No account required | ✓ Yes | ✓ Yes | ✓ Yes |
| Secret key required | Not needed | Optional (for verify) | Not needed |
JWT Structure: What Each Part Means
| Part | Contains | Example Claims | Sensitive? |
|---|---|---|---|
| Header | Algorithm & token type | alg: HS256, typ: JWT | Low |
| Payload | Claims (user data) | sub, email, role, exp, iat | ⚠ Often yes |
| Signature | Cryptographic proof | HMAC / RSA hash | Medium |
FAQ
Is it safe to decode a production JWT here? +
Yes. Decoding runs entirely in your browser using JavaScript. No token data is sent to any server. Safe for production tokens containing user IDs, roles, and API credentials.
Do I need my secret key to decode a JWT? +
No. The header and payload are Base64-encoded, not encrypted. You only need the secret key to cryptographically verify the signature — decoding just reads the data that's already there.
What's the difference between decoding and validating? +
Decoding extracts the payload claims in readable JSON. Validation cryptographically verifies the signature to confirm the token hasn't been tampered with. For debugging expired tokens or inspecting claims, decoding is all you need.
Why does my token start with eyJ? +
eyJ is the Base64 encoding of {" — which is how every JSON object starts. All valid JWTs begin with eyJ because both the header and payload are JSON objects encoded in Base64.
What does the exp claim mean? +
exp is a Unix timestamp (seconds since Jan 1, 1970) indicating when the token expires. The status bar above shows this decoded to a human-readable date. If exp is in the past, the token is expired and will be rejected by your server.