Self-hosting is free forever — clone the repo, deploy it yourself, no fees, no limits from us. The hosted cloud (mydevtools.tech) is a paid service.

What is the difference between self-hosting and MyDevTools Cloud?

Self-hosting is the same codebase running on your own infrastructure — you own the data and pay nothing to us. MyDevTools Cloud is our managed service; it is a paid subscription that covers hosting, sync, and backups.

Sensitive data is encrypted in your browser before it reaches the server where supported. The server stores encrypted blobs for vault-style data instead of readable plaintext.

Do I need an account to use the tools?

Google Sign-In is required to save your data across sessions. Many public tool pages can be explored before opening the full app experience.

Is this truly open source?

Yes. Full source code is available on GitHub under the GPL-3.0 license. You can audit, contribute, fork, or self-host it.

Does it work offline?

Many tools are fully client-side and can work without server processing. Tools that connect to external services, sync data, or send API requests need a network connection.

Security5 min readOctober 15, 2025

How to Decode a JWT Token Online

Learn what a JSON Web Token (JWT) is, how to read its header and payload, and how to decode one instantly in the browser without installing anything.

Try the free online tool mentioned in this guide:JWT Decoder

Open tool Learn more

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. JWTs are widely used for authentication and authorization in APIs, single-page apps, and microservices. When a user logs in, the server typically returns a JWT that the client sends back on every subsequent request inside the Authorization header.

A JWT has three parts separated by dots: the header, the payload, and the signature. Each part is Base64URL-encoded, which is why a raw token looks like a long string of random characters. Understanding how to decode and read that string is an essential debugging skill.

The three parts of a JWT

Header — Describes the token type and signing algorithm. Typical values are {"alg": "HS256", "typ": "JWT"}. The algorithm field tells you how the signature was generated (e.g., HMAC-SHA256 or RS256).

Payload — Contains the claims, which are statements about the user or context. Registered claims like sub (subject), iat (issued at), and exp (expiration) are standardized. Custom claims like userId or role are added by the application.

Signature — A cryptographic signature that proves the token has not been tampered with. It is computed by signing the encoded header and payload with a secret or private key. You cannot verify the signature without the key, but you can still decode the header and payload to read their contents.

text

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9
.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkphbmUgRG9lIiwiaWF0IjoxNzE2MjM5MDIyLCJleHAiOjE3MTYyNDI2MjJ9
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

How to decode a JWT manually

Because each part is Base64URL-encoded (not encrypted), you can decode the header and payload without any secret key. Base64URL is Base64 with + replaced by - and / replaced by _, with padding removed.

To decode manually in a terminal:

bash

# Split on dots and decode the first two parts
echo "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9" | base64 -d
# Output: {"alg":"HS256","typ":"JWT"}

How to decode a JWT online (instant, no install)

The fastest way to read a JWT during debugging is to paste it into an online decoder. MyDevTools JWT Decoder runs entirely in your browser — your token is never sent to a server. The tool splits the token into its three parts, decodes the header and payload to readable JSON, and highlights the expiration time (exp) as a human-readable date so you can instantly see whether a token is still valid.

When to use an online decoder: during API debugging to check which claims a token carries, after a login flow to verify the payload matches expected user data, and when reviewing third-party tokens to understand their structure.

Common JWT claim fields

sub — Subject: the user or entity the token represents.
iat — Issued At: Unix timestamp when the token was created.
exp — Expiration: Unix timestamp after which the token is invalid.
aud — Audience: intended recipient(s) of the token.
iss — Issuer: who created and signed the token.
jti — JWT ID: a unique identifier for the token, useful for revocation.

Custom claims like role, email, or permissions are added by the application and are not standardized but follow the same structure.

Decoding vs verifying a JWT

Decoding reads the contents. Verifying proves the token is authentic and unmodified. For decoding (reading claims), no key is needed — the header and payload are just Base64URL. For verification, you need the signing key or public key that matches the algorithm in the header.

Always verify JWTs in backend services before trusting their claims. Use decoding only for debugging and inspection on the client side.

Frequently asked questions

Is it safe to paste my JWT into an online decoder?

Use a browser-based decoder that processes the token locally without sending it to a server. MyDevTools JWT Decoder works entirely in your browser — the token never leaves your machine. Avoid decoders that require submitting the token to an external endpoint.

Can I decode a JWT without the secret key?

Yes. The header and payload are Base64URL-encoded, not encrypted. You can decode them to plain JSON without any key. You cannot verify the signature without the signing key, but decoding and reading the claims requires no secret.

What does it mean when a JWT is expired?

The exp claim holds a Unix timestamp. If the current time is past that timestamp, the token is expired and backend services should reject it. A decoder converts the exp value to a human-readable date so you can quickly see whether a token is still valid.

Why does my JWT look different each time even for the same user?

JWTs typically include an iat (issued at) timestamp and sometimes a jti (JWT ID). These fields change with every token issued, so even identical claims produce a different token string each time.