JWT Header & Payload Viewer

About the JWT Header & Payload Viewer

A 100% client-side, open-source web tool that decodes and displays the header and payload of any JSON Web Token (JWT) — without ever sending your data to a server.

Built for developers, security engineers, and educators, this viewer eliminates the privacy risks of online JWT debuggers. When you paste a token, all processing happens in your browser using native JavaScript APIs like atob() and JSON.parse(). No network requests. No logging. No tracking.

Why It Was Created

Most JWT tools require you to submit tokens to remote servers — a dangerous practice when dealing with production credentials, internal APIs, or sensitive user data. Even “trusted” tools may log inputs, retain history, or be compromised. This viewer solves that by running entirely locally, giving you full control and peace of mind.

Whether you're debugging an OAuth flow, verifying token claims, teaching authentication concepts, or auditing security headers, this tool delivers instant, safe results.

Core Features

  • Instant Decoding – Paste any JWT and see header/payload immediately
  • Human-Readable Timestampsexp, iat, nbf converted to UTC dates
  • Expiration Status – Live badge: Valid or Expired
  • Raw vs. Pretty View – Toggle between Base64Url strings and formatted JSON
  • Copy to Clipboard – Export header or payload with one click
  • Responsive Design – Works flawlessly on mobile, tablet, and desktop
  • Zero Dependencies – No backend, no database, no analytics

Technical Foundation

Powered by SvelteKit for blazing-fast static generation and Bootstrap 5 for clean, accessible UI. The entire site is deployed via GitHub Pages, ensuring global availability and automatic updates from the open-source repository.

All code is licensed under the MIT License, encouraging contributions, forks, and self-hosting. You can even install it as a PWA for offline use.

Who Uses It?

Frontend engineers verifying access tokens, backend developers testing refresh logic, DevOps teams auditing auth flows, and instructors demonstrating JWT structure in classrooms — all rely on a tool that respects privacy and delivers accuracy.

No data leaves your device. No compromises. Just pure, secure JWT inspection.

Learn How to Use It

How to Use the JWT Viewer

Decode any JWT in seconds — safely and privately. Follow this step-by-step guide to inspect tokens like a pro.

Step 1: Obtain Your JWT

JWTs are commonly found in:

  • Browser Dev ToolsApplicationLocal Storage or Cookies
  • Network Tab → Request headers: Authorization: Bearer <token>
  • API Responses → Login or token endpoint
  • Logs or Debug Output → From your backend or SDK

Copy the full token string (three parts separated by dots: header.payload.signature).

Step 2: Paste into the Viewer

Click in the large text area at the top of this page and paste your JWT. The tool auto-decodes instantly — no "Submit" button needed.

Step 3: Explore the Results

Two tabs appear:

  • Header Tab – Shows alg (algorithm), typ (usually "JWT"), and kid if present.
  • Payload Tab – Displays user claims: sub, iss, aud, exp, custom fields, etc.

Step 4: Use Advanced Features

Check Token Validity

Look at the summary bar:

  • Expires: Full UTC date + Valid or Expired
  • Issued / Not Before: Formatted timestamps for lifecycle analysis

Toggle Raw View

Check “Show Raw Base64Url” to see the original encoded strings. Great for:

  • Teaching Base64Url encoding rules
  • Comparing with server logs
  • Manual verification

Copy Output

Click “Copy JSON Header” or “Copy Raw Payload” to export structured data for documentation, tickets, or code reviews.

Pro Tips

  • Mobile Debugging: Use browser remote debugging (USB) or share token via secure note.
  • Incognito Mode: Extra privacy layer — nothing persists.
  • PWA Install: Add to home screen for 1-click access (Chrome/Edge).
  • Clear Button: Instantly reset input and output.

Common Use Cases

  • Debugging 401 Unauthorized errors
  • Verifying token refresh behavior
  • Onboarding new developers to your auth system
  • Security reviews of token claims and expiration
  • Educational demos of JWT structure

Safety Reminder

Never paste production secrets into public tools. This viewer is safe because it runs locally — but always treat tokens as sensitive.

Encrypted Tokens (JWE)? This tool supports JWS only. JWE requires decryption keys and cannot be decoded client-side.

Master JWT inspection in under a minute. Private. Fast. Accurate.

View FAQ

Frequently Asked Questions

Got questions about the JWT Viewer? We’ve got answers.

No. Signature verification requires the secret or public key and must be done server-side. This tool only decodes the header and payload for inspection. It intentionally skips signature logic to protect privacy and keep processing client-side.

Absolutely not. All decoding happens in your browser using JavaScript. No network requests are made after the initial page load (except loading Bootstrap CSS from CDN). Your token never leaves your device.

Yes! After the first visit, all assets are cached. Install as a Progressive Web App (PWA) via your browser’s “Add to Home Screen” option for full offline access.

All claims — standard sub, iss or custom role, tenant_id — are displayed in the Payload tab in pretty-printed JSON. No filtering or hiding.

Common causes:

  • Missing or extra dots (must be exactly 3 parts)
  • Empty segments (e.g., ..signature)
  • Invalid Base64Url characters (use - and _, no +//)
  • Header/payload not valid JSON after decoding

Double-check your copy-paste.

Yes! Fully open source under the MIT License. View, fork, or contribute at github.com/axelbase/jwt-viewer.

Absolutely. Clone the repo, run npm install && npm run dev, or deploy the built docs/ folder to any static host (Netlify, Vercel, AWS S3, etc.).