Encoded Token
Header
Payload
Verify Signature
Tutorial: Finding a JWT in the Wild
Many modern websites—like social media platforms, online shopping sites, and project management tools—use JWTs to keep you logged in. You can often find these tokens in your browser's developer tools after you sign in. This guide shows you how.
A JWT is like a temporary password. Pasting an active token from a site where you are logged in (like your email or social media) into a public, third-party website is a major security risk. If that site is malicious, it could use your token to impersonate you and access your account.
While this specific decoder is safe because all processing happens in your browser (no data is ever sent to a server), you should never paste sensitive tokens into online tools you don't fully trust.
Log In to a Website: Go to any site that requires a login and sign in to your account.
Open Developer Tools: Press F12 or right-click the page and select "Inspect".
Navigate to Storage: Find the Application tab (in Chrome/Edge) or the Storage tab (in Firefox).
Check Browser Storage: On the left side, look under Local Storage and Session Storage. Click the URL for the site you're on.
Find the Token: Look for a key named token, jwt, access_token, or similar. The value next to it is the JWT. Copy it.
Alternative Method: Sometimes tokens aren't in storage. Check the Network tab in dev tools. After logging in, look for requests and check their Headers for an Authorization: Bearer ey... header, or check the Response body for the token.
Decode Safely: Paste the token into the "Encoded Token" box above to see its contents.