$ jwt-decoder
⛨ local-only: runs entirely in your browser. Nothing you enter is transmitted or stored — verify in DevTools → Network, or try it in airplane mode.
header
payload
signature
Notes
This is a decode-only inspector: a JWT's header and payload are just base64url-encoded JSON, readable by anyone — the signature is what makes them trustworthy, and verifying it requires the secret or public key, which you should never paste into any website (including this one). Treat everything a decoder shows you as unverified claims.