// tools

JWT decoder

Paste any JSON Web Token below. The decoder runs entirely in your browser — no network request, no logging, no telemetry on the token itself. Header and payload are pretty-printed; common claims (iat / exp / nbf / aud) are highlighted with a human-readable date.

Paste your JWT

What does the decoder show?

Header— the algorithm (alg) and key id (kid). HS256, RS256, ES256, EdDSA all decode the same — the decoder doesn't care about the key.
Payload — the claims. Standard claims (iss, sub, aud, exp, iat, nbf, jti) are recognized; everything else is shown as-is.
Signature— the raw bytes (base64url). We don't verify it — that requires the signing key, which you keep on your server.

Why client-side?

A JWT is often a session token. Pasting one into a server-side decoder is a small audit nightmare — that token, briefly, lives in someone else's logs. We don't want that responsibility. Decoding is a few lines of base64url arithmetic; the browser handles it fine.

Need a public URL for the OAuth callback?

If you're here because your local OAuth flow is breaking, you probably need a tunneled URL. Reserve a name once, paste it into your auth provider's callback config, and your dev environment stops drifting:

$ lrok reserve auth-dev
$ lrok http 3000 --hint auth-dev
  Forwarding https://auth-dev.lrok.io -> http://127.0.0.1:3000

Reserved subdomain on the free plan, $9/mo flat for unlimited tunnels. Next.js walkthrough → Django → Rails →