JWT Decoder
Decode and debug JSON Web Tokens offline. No data leaves your browser.
Encoded Token
{}
{}
HMACSHA256( base64UrlEncode(header) + "." + base64UrlEncode(payload), your-256-bit-secret )
Free Secure JWT Decoder (Client-Side Only)
Bitlist's JWT Debugger is the safest way to decode and inspect JSON Web Tokens directly in your browser. Designed for privacy-conscious developers, our tool ensures that your sensitive tokensโand the secrets they containโnever leave your device.
Why Debug JWTs Locally?
Many online JWT checkers send your data to a backend server for processing. This creates a security risk if you are debugging production tokens or tokens containing sensitive user data (PII).
- 100% Private: Logic runs via JavaScript in Chrome/Firefox/Safari. No server logging.
- Instant & Offline: Works without an internet connection once loaded.
- RFC 7519 Compliant: Accurately parses headers, payloads, and signatures according to the official standard.
Features
- Color-Coded Segments: Instantly visualize the three parts of a JWT: Header (Algorithm), Payload (Data), and Signature.
- Error Validation: get immediate feedback if your token is malformed or invalid.
- Pretty Print: Automatically formats minified JSON into readable, indented code.
Frequently Asked Questions
Is it safe to paste real tokens here?
Yes. Since no network requests are made to send your token anywhere, it is as safe as opening the file in your local text editor. We recommend this tool specifically for developers effectively auditing their authentication flows.
Can I verify the signature?
Currently, this tool visualizes the signature component. Verification requires your private secret key. For security best practices, we generally advise against pasting secret keys into any web page, even client-side ones, to avoid accidental exposure (e.g. via screen sharing).
What algorithms are supported?
We decode the Base64Url structure regardless of algorithm (HS256, RS256, ES256, etc.), allowing you to inspect the claims of any valid JWT.