How to Decode JWT Tokens Safely (Without Sending Them to a Server)
JSON Web Tokens (JWT) are everywhere in modern authentication. Here’s how to inspect them safely without leaking sensitive data.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format often used for authentication and authorization. It consists of three base64url-encoded parts separated by dots.
header.payload.signatureJWT structure: header, payload, signature
- Header – contains metadata like the algorithm and token type.
- Payload – contains claims such as sub, exp, iat and custom fields.
- Signature – ensures integrity when verified with the correct key.
Why online JWT decoders can be risky
Some JWT decoder websites send tokens to a remote backend server for decoding or logging. If your token contains sensitive information, sending it to an untrusted server is dangerous.
- Tokens may be logged on the server side.
- Sensitive claims might be exposed to third parties.
- If a token is still valid, it could potentially be misused.
Decoding JWTs 100% client-side
A safer approach is to use a decoder that works entirely in your browser, with no network calls. The JWT Decoder on JSONViewerTool.com is designed to be 100% client-side.
- Open JWT Decoder.
- Paste your JWT token into the left editor.
- Click Decode JWT.
- Inspect the decoded header and payload on the right.
Important: decoding is not verifying
Decoding a JWT simply base64-decodes the header and payload. It does not verify the signature or tell you whether the token is valid or trusted. Always perform proper verification on the server side.
Next steps
Whenever you need to quickly inspect a token, use the online JWT Decoder. For full security, always validate tokens on the server as well.