Security helpers
JWT Decoder
Decode JSON Web Token headers and payloads locally in your browser without uploading tokens.
Decoded locally in your browser. This tool does not verify the token signature.
How to use this tool
Paste a JSON Web Token into the decoder.
Review the decoded header and payload JSON without sending the token to a server.
Check claims such as `iss`, `sub`, `aud`, `iat`, `nbf`, and `exp` while remembering that decoding is not verification.
Decoding is not verification
A JWT payload is Base64URL-encoded JSON, so it can be decoded by anyone who has the token.
Decoding shows what the token claims, but it does not prove the signature is valid or that the issuer should be trusted.
Production systems must verify the signature, expected algorithm, issuer, audience, expiry, and key rotation behavior.
JWT privacy and secret handling
Access tokens, refresh tokens, and ID tokens can grant access to real accounts and APIs.
This decoder runs in the browser and Lumio does not store token contents for analytics, but you should still avoid pasting live production secrets into random tools.
For incident response, revoke exposed tokens and rotate affected credentials.
Examples
Common JWT claims
Output{
"sub": "user-123",
"aud": "api",
"exp": 1893456000
}Unsigned trust mistake
Never trust a decoded JWT just because the JSON looks reasonable. Signature verification is the security boundary.
FAQ
Does this verify the JWT signature?
No. It decodes the header and payload locally. Signature verification requires the correct key and expected validation rules.
Can anyone read a JWT payload?
Usually yes. Standard JWT payloads are encoded, not encrypted. Do not put secrets in JWT claims.
What does exp mean?
`exp` is the expiration timestamp. A verifier should reject the token after that time, usually with a small clock-skew allowance.
Is the token uploaded?
No. Decoding runs locally in your browser and token contents are not stored for analytics.