PRPickrack

JWT Decoder

Decode JWT header and payload. Browser-side — your token never leaves your tab.

Decode-only — does NOT verify signatures

Signature verification needs the secret/public key. Pickrack stays decode-only for safety. Open DevTools to verify zero network calls.

Decode JWT header and payload. Inspect claims, expiry, and structure. Browser-side — tokens never leave your tab.

JWT Decoder is critical for backend devs and API integrators. JWTs (JSON Web Tokens) carry claims about a user (ID, role, expiry) — when something breaks in auth, you need to inspect the payload to see what the token actually contains.

Pickrack's decoder splits the JWT on dots, Base64-decodes header and payload, parses the JSON, and shows you the claims. All in your browser — your tokens (which often contain user IDs, session info, or service-account secrets) never upload anywhere. Verify in DevTools → Network.

Free, no signup. The tool also flags expired tokens (exp claim in past) and shows time-until-expiry. Does NOT verify signatures — that requires the secret/public key, out of scope for a decode-only tool.

Key features

  • Browser-side onlyToken splits, decodes, and JSON-parses in your tab. Zero network calls during decoding.
  • Header + payload + signatureThree sections shown side-by-side. Header reveals algorithm (alg) and key ID (kid). Payload has the claims. Signature shown but not verified.
  • Expiry detectionHighlights exp, nbf, iat claims and shows time-until-expiry. Red badge for expired tokens.
  • Standard claims explainedHovers explain iss (issuer), sub (subject), aud (audience), jti (JWT ID) — useful when debugging unfamiliar tokens.
  • URL-safe Base64 handledJWTs use URL-safe Base64 with no padding. The decoder normalizes (- → +, _ → /, adds = padding) before decoding.

How to use

  1. Step 1: Paste your JWTFormat: xxx.yyy.zzz (3 segments separated by dots). Whitespace and Bearer prefix auto-stripped.
  2. Step 2: Inspect the header and payloadHeader shows the algorithm. Payload shows your claims, including expiry status.
  3. Step 3: Use claims to debugCheck exp is in the future, iss matches your auth provider, sub matches the user ID you expect.

When to use

  • Debug a 401 Unauthorized — paste the failing JWT to see if it's expired or has the wrong audience
  • Verify token claims during local dev — confirm role: admin is actually in the payload before testing privileged endpoints
  • Inspect a third-party JWT (Auth0, Cognito, Okta) to see what custom claims they're emitting
  • Check token TTL — see how long until your auth tokens expire
  • Read a refresh token's claims to understand the rotation policy
  • Confirm key rotation by inspecting kid (key ID) header field

Frequently asked questions

Does this verify the JWT signature?

No — only decodes. Signature verification requires the secret (HS256) or public key (RS256/ES256), which would mean uploading or fetching keys. Pickrack stays decode-only for safety. Use jwt.io with caution (server-side) or JWT libraries in your code (jose, jsonwebtoken) for verification.

Are JWTs encrypted?

Standard JWTs are SIGNED but not encrypted — the payload is Base64 (not encrypted) and readable by anyone. Don't put secrets in JWT claims. JWE (JSON Web Encryption) is the encrypted variant — more rare.

Is my token sent to your server?

No. Splitting on dots and Base64-decoding happens in your browser. Verify in DevTools → Network — zero network calls during decoding.

Why does my token decode to garbled text?

Either it's not a real JWT (some 'tokens' are just opaque random strings) or the Base64 segments are corrupted. Check format: 3 segments separated by 2 dots, each segment is URL-safe Base64.

What does the alg field mean?

The signing algorithm: HS256 (symmetric, shared secret), RS256/ES256 (asymmetric, public key). HS256 is common for backend services; RS256 for OAuth/OIDC providers.

Can I decode JWE (encrypted JWTs)?

Not without the decryption key. Pickrack handles JWS (signed) only. JWE has 5 segments instead of 3 and requires the appropriate key.

What if my JWT is in the URL or auth header?

Strip the Bearer prefix or URL-decode first. The decoder accepts the raw 3-segment string.

Is exp in seconds or milliseconds?

JWT spec uses Unix timestamp in SECONDS. The decoder converts to local time for display. Some libraries (looking at you, JavaScript) use milliseconds — double-check your backend.

Related tools

Base64 Encoder

Encode and decode Base64 strings. Supports text and file modes. Browser-side, instant.

JSON Formatter

Format, validate, and minify JSON. Detects errors with line numbers. Browser-side, your data never leaves your device.

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512 hashes. Text and file modes. Web Crypto API.