JSON Web Tokens (JWTs) are everywhere in modern apps. They're used for authentication, authorization, and passing data between services. But what's actually inside them?

The JWT Decoder shows you what your tokens contain—and whether they're leaking sensitive information.

A JWT looks like random gibberish:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

But it's actually three parts separated by dots: 1. Header: Token metadata (algorithm, type) 2. Payload: The actual claims (user data) 3. Signature: Cryptographic verification

The first two parts are just Base64-encoded JSON—anyone can decode them. The signature is what makes JWTs secure.

Check what data you're exposing: JWTs are often passed in URLs, stored in localStorage, or sent over HTTP. If your JWT contains sensitive data like emails, phone numbers, or SSNs, that data is exposed to anyone who intercepts the token.

Debug authentication issues: When login isn't working, peek inside the JWT to see if claims are malformed, expired, or missing required fields.

Audit for compliance: Security audits often require proving that tokens don't contain PII (Personally Identifiable Information). The decoder flags any PII it finds.

After decoding, you get:

• Header: Algorithm used (HS256, RS256, etc.)
• Payload: All claims in the token
• Expiration: When the token expires
• PII Detection: Any sensitive data in claims (emails, phone numbers, etc.)
• Token Age: How long the token has been valid

Bad JWT (contains PII):

{
  "sub": "user123",
  "email": "[email protected]",
  "phone": "555-123-4567",
  "ssn": "123-45-6789"
}

Good JWT (no PII):

{
  "sub": "user123",
  "role": "admin",
  "iat": 1516239022,
  "exp": 1516242622
}

Decoding happens in your browser. Original tokens stay local during decoding.