JWT Decoder: Decode and Verify Tokens Without Compromising Security
Let's talk about JWT tokens.
If you've worked with any modern web app in the last 5 years, you've handled them. Auth flows, API keys, session tokens — they're everywhere.
But here's the thing: a lot of devs use JWTs without really understanding what's inside one. And worse, some paste production tokens into random "JWT debugger" sites that may or may not log them.
In this guide, I'll show you what a JWT decoder actually does, how to use one safely, and the free tool I personally use that runs 100% in the browser.
What's actually in a JWT#
A JSON Web Token has three parts, separated by dots:
header.payload.signature
For example:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJleHAiOjE2MjYxMjM0NTZ9.abc123def456...
That's not encrypted. It's just base64-encoded.
The JWT header says what algorithm signed the token (usually HS256 or RS256).
The JWT payload carries the actual claims (user id, expiration time, scopes, etc.).
The JWT signature is the cryptographic proof that the token wasn't tampered with.
Anyone with the token can read the header and payload. The signature is what's protected.
Why you should never paste tokens into sketchy sites#
This is a security PSA.
If you paste a JWT into a tool that sends it to a server (instead of decoding it locally), you've just leaked your token. The site operator can:
- Steal your session
- Impersonate the user
- Use the token in their own scripts
And many "JWT decoder" sites do exactly this. They post to a backend, "decode," and return the result. Their server now has your token in a log file.
The fix: only use JWT decoders that run in the browser. The token never leaves your machine.
The free JWT decoder I use#
I built Molixa JWT Decoder specifically because every other "free" decoder either had ads or sent the token to a server.
Mine doesn't.
You paste a JWT. The decoder uses JavaScript in your browser to split, base64-decode, and parse the JSON. Done.
No analytics fire on the token. No server roundtrip. No logging.
Step-by-step: decode your first JWT#
Here's how it works.
Step 1: Grab a JWT#
From your app's local storage, browser DevTools, or an API response.
In Chrome DevTools, open Application → Storage → Local Storage → look for keys like "access_token" or "jwt."
Step 2: Open the decoder#
Step 3: Paste#
One big text area at the top. Paste the full token.
Step 4: Read the breakdown#
You'll see three panels:
- Header — algorithm, type, key ID
- Payload — the actual claims
- Signature — base64 (you can't decode this, just verify)
Step 5: Check the claims#
The payload is where the action is. Look for:
sub— subject (usually the user ID)iat— issued at (timestamp)exp— expires at (timestamp; convert to date)iss— issuer (which service made the token)aud— audience (which service can use the token)scope— permissions granted
A JWT inspector worth its salt automatically converts the timestamps to readable dates.
How to verify a JWT signature#
Decoding shows you the contents. Verification proves the token is legit.
For HS256 (symmetric)#
You need the shared secret. Paste it into the verify panel. The decoder hashes the header + payload with HMAC-SHA256, compares to the signature, and tells you "valid" or "invalid."
Don't store the secret anywhere persistent. It's a secret for a reason.
For RS256 (asymmetric)#
You need the public key (PEM format). Paste it. The decoder verifies the signature using the public key.
Public keys are safe to share, that's the point.
Common JWT mistakes#
A few I see all the time:
Mistake 1: Storing JWTs in localStorage. Vulnerable to XSS. Use httpOnly cookies for session tokens.
Mistake 2: Trusting decoded contents. The payload is just base64. Anyone can change it. Always verify the signature server-side.
Mistake 3: Long expiration times. Tokens with exp 30+ days out are risky. Use refresh tokens for long sessions, short-lived access tokens.
Mistake 4: Putting sensitive data in the payload. The payload is readable to anyone with the token. Don't put credit card numbers, full names, or anything you wouldn't want logged.
Mistake 5: Pasting prod tokens in tools that send to a server. See above. Use browser-only decoders.
Real example: debugging a 401#
Last week, my API kept returning 401 for a user. They swore their token was valid.
I asked them to paste the token into Molixa JWT Decoder.
Their payload showed exp: 1715342400. I converted: that was 3 hours ago.
Their token was expired. Refresh flow had silently failed.
Total debug time: 90 seconds.
What about jwt.io?#
The most famous JWT decoder online.
Pros: Industry standard. Trusted by many. Cons: Has ads. UI hasn't been updated in years. Sends some analytics on token usage (not the token itself, but enough to know patterns).
Molixa JWT Decoder is a clean, fast alternative for everyday use.
For the official jwt.io experience, go to jwt.io. For day-to-day decoding without ads, mine works.
Pro tips#
A few habits worth picking up:
Tip 1: Use the timestamp converter feature. JWTs use Unix epochs; you want them as human dates.
Tip 2: Bookmark the decoder. You'll use it more than you expect.
Tip 3: Always check iss and aud. If they don't match what your service expects, the token isn't for you — reject it.
Tip 4: Keep production secrets out of "verify" panels. Use a local CLI tool (like the official jose-cli) for production verification flows.
Tip 5: For debugging mobile app tokens, copy them via Charles Proxy or Proxyman, then decode in browser.
Modern JWT alternatives#
A few notes for context:
PASETO — designed to fix JWT's design issues. Better defaults, no algorithm confusion attacks.
Branca — small, signed tokens. Less common, but simpler.
Opaque tokens — random strings that map to server-side sessions. Some teams are returning to these for security reasons.
JWT is still dominant though. Knowing how to decode and verify is table-stakes.
Wrap-up#
JWT tokens aren't scary once you understand the structure.
Header. Payload. Signature.
A good free JWT decoder shows you all three, converts the timestamps, and never sends the token to a server.
Molixa JWT Decoder ticks every box.
Bookmark it. Use it. Stop pasting tokens into random sites.
Stay secure out there.