Guide
JWT Decoding vs JWT Verification
A JWT decoder helps inspect token contents, but it does not prove the token is valid or trustworthy.
Related tools
JWT structure
A typical JWT has three dot-separated sections: header, payload, and signature. The header describes token metadata such as the algorithm. The payload contains claims such as subject, issuer, audience, and expiration. The signature is used by a verifier to detect tampering.
The header and payload are commonly Base64URL-encoded JSON. Decoding them makes them readable, but readability is not the same as trust.
What decoding reveals
Decoding is useful for debugging integrations. You can inspect the algorithm in the header, check an expiration claim, compare issuer or audience values, and see whether custom claims are shaped as expected.
Why decoding does not prove trust
Anyone can create text that looks like a JWT. A decoder can display that text, but it cannot know whether the token came from the expected issuer or whether the signature matches the trusted key.
Signature verification requires the correct verification algorithm, key material, issuer/audience rules, time checks, and application-specific validation.
Sensitive token warning
JWTs can contain account identifiers, emails, tenant IDs, permissions, or bearer credentials. Avoid pasting production tokens into any online tool unless you understand the local device, browser, extensions, and site behavior involved.
FAQ
Does DevPouch verify JWT signatures?
No. The JWT tool decodes and formats the header and payload locally. It does not verify signatures.
Can an expired JWT still decode?
Yes. Expiration is a claim that a verifier should enforce. A decoder can show the claim even when the token is expired.