// client-only · webcrypto api

— paste a token above

// decoded header and payload appear here


              curl -sX POST 'https://api.whittly.dev/v1/jwt/decode' \
  -H 'Authorization: Bearer $WHITTLY_API_KEY' \
  -H 'Content-Type: application/json' \
  -d '{"token":"eyJhbGciOiJIUzI1NiJ9.eyJzdWIiOiJhbGljZSJ9.abc"}'


              const res = await fetch('https://api.whittly.dev/v1/jwt/decode', {
  method: 'POST',
  headers: {
    'Authorization': 'Bearer ' + apiKey,
    'Content-Type': 'application/json',
  },
  body: JSON.stringify({ token: "eyJhbGciOiJIUzI1NiJ9..." }),
});
const data = await res.json();


              const { data } = await axios.post(
  'https://api.whittly.dev/v1/jwt/decode',
  { token: "eyJhbGciOiJIUzI1NiJ9..." },
  { headers: { Authorization: 'Bearer ' + apiKey } }
);

// probulk token validationpro·history syncproupgrade →

// about this tool

A JWT (JSON Web Token) consists of three Base64URL-encoded parts: a header that specifies the algorithm, a payload that carries claims (user ID, roles, expiration), and a signature that proves the token was issued by a trusted party. This tool decodes all three parts without verifying the signature.

// when to use

Inspect what claims an auth token contains
Check token expiration (exp claim) without writing code
Debug authentication issues in development
Verify the algorithm used to sign a token

// faq

Can this tool verify the JWT signature?

Client-side signature verification requires the secret key or public key, which you should never paste into a web tool. This tool decodes and displays the payload — signature verification should be done server-side with your auth library.

Why is the payload readable without a key?

JWT payloads are Base64URL-encoded, not encrypted. The signature only proves authenticity — it does not hide the contents. Never put sensitive data in a JWT payload if you are not encrypting the token (JWE).

// related tools

// about this tool

// when to use

// faq