Toolsmith Hub

Vercel-ready developer utilities with a local-first execution bias.

code/security

JWT Decoder (Local)

The JWT Decoder parses a token's header and payload locally inside the browser and renders the JSON in a readable format. It is built for debugging claims, algorithm metadata, and expiration timing while keeping the trust posture explicit: the token is not uploaded or verified by a server.

JWT decoding happens locally in your browser. This page does not send the token, secret, or payload to a server, and it does not verify signatures.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "user_123",
  "aud": "toolsmithhub",
  "iat": 1718107200,
  "nbf": 1718107200,
  "exp": 1718110800
}

Time claim summary

iat

2024-06-11T12:00:00.000Z (730 days ago)

nbf

2024-06-11T12:00:00.000Z (730 days ago)

exp

2024-06-11T13:00:00.000Z (730 days ago)

How to use it

  1. 1. Paste a JWT into the textarea. The page decodes the header and payload locally as soon as the token format is valid.
  2. 2. Inspect the pretty-printed JSON and the claim summary for fields such as exp, iat, and nbf.
  3. 3. Copy the decoded header or payload when you need to compare claims in logs, docs, or a support ticket.

Why this tool

A trust-first debugging tool for inspecting JWT structure and readable claims without sending the token to a server.

Core function: Decode JWT header and payload locally in the browser.

Unique angle: Make local-only processing explicit and summarize time claims clearly.

Examples

Copy-ready examples for common workflows

Inspect a staging token's expiry and audience

Input

Paste a token with exp, iat, aud, and sub claims

Output

Readable header and payload JSON plus a claim summary showing expiry time, issued time, and audience value.

Compare custom claims across two environments

Input

Paste a token from QA or production into the decoder

Output

Side-by-side copyable JSON values can be pasted into a diff tool or incident note to spot claim drift.

FAQ

Questions this page answers up front

Does this tool verify the JWT signature?

No. It decodes the token structure locally but does not validate the signature because that would require the correct verification key and issuer context.

Is my token sent to a server?

No. The decoder runs entirely in the browser and is intentionally labeled as local-only so the token stays on the device.

Why show exp, iat, and nbf separately?

Those claims are the fastest way to understand whether a token is already valid, when it was issued, and when it will expire, which are the most common JWT debugging questions.