How to Decode a JWT Locally
JWTs are easy to decode because most are encoded rather than encrypted. That makes local decoding a better default when you only need to inspect claims during debugging.
Updated 2026-05-25
Use the related tools
JWT and Auth Debugging
Decode JWTs locally, inspect claims, check expiration, and understand the line between decoding and validation.
Related guides
Debug JWT Tokens Locally
A JWT debugging hub for decoding tokens, checking expiration, inspecting claims, and understanding why decoded does not mean trusted.
How to Check JWT Expiration
Use exp, iat, and nbf claims to debug expired or not-yet-valid JWTs without uploading the token.
Is It Safe to Paste JWT Tokens Into Online Decoders?
A safety checklist for decoding JWTs, understanding token sensitivity, and choosing local inspection over upload-based tools.
What local decoding shows
A JWT usually has a header, payload, and signature separated by dots. The header and payload can be Base64URL-decoded into JSON so you can inspect fields such as alg, typ, sub, iss, aud, exp, iat, and nbf.
What local decoding does not prove
Decoding a JWT is not verification. A decoded token may still be expired, forged, intended for a different audience, issued by the wrong authority, or signed with a key your application should reject.
- Verify the signature with the correct key.
- Check issuer and audience claims.
- Check expiration and not-before timestamps.
- Treat production tokens as credentials.
Safe workflow
Use the JWT Decoder to inspect the token locally, then use your application or identity provider tooling for full validation. When sharing a decoded payload in a ticket, redact subject identifiers, emails, tenant IDs, and scopes as needed.
FAQ
Are JWT payloads encrypted?
Most JWT payloads are only encoded. Encrypted JWTs exist as JWE, but a normal signed JWT can be read by anyone who has it.
Can local decoding validate a token?
No. Local decoding only reveals the token contents. Validation requires signature and claim checks.