Best JWT Decoder: Toolpilot vs jwt.io, jwt.ms & token.dev
JSON Web Tokens are everywhere in modern web development. When debugging, you need to quickly decode a JWT to inspect claims, check expiry, and verify the signature. We tested four popular online JWT decoders on decoding accuracy, feature completeness, and privacy.
Methodology
20 JWT test cases including valid tokens, expired tokens, malformed headers, nested JWTs, and tokens with non-standard claims.
- •Decoding accuracy: correct header + payload display
- •Error handling: clear messages for malformed tokens
- •Expiry detection: highlights expired tokens
- •Signature verification: supports HS256, RS256, ES256
- •Privacy: client-side decoding or server round-trip
Tools Tested
Client-side JWT decoder with instant header/payload display, expiry checking, and claim analysis.
Auth0 official JWT debugger. The most popular JWT tool, with signature verification.
Microsoft JWT decoder, optimized for Azure AD tokens.
Modern JWT decoder with a clean UI. Supports encoding and decoding.
Results: Head-to-Head Comparison
| Metric | Toolpilot | jwt.io | jwt.ms | token.dev |
|---|---|---|---|---|
| Decoding accuracy (20 test vectors) jwt.ms failed on non-standard claim types | 20/20 | 20/20 | 18/20 | 19/20 |
| Expiry detection Toolpilot shows human-readable time since expiry | Auto-highlights ★ Best | Shows timestamp | Shows timestamp | Auto-highlights |
| Signature verification jwt.io supports the most signature algorithms | Decode only | HS256, RS256, ES256, PS256 | Decode only | HS256, RS256 |
| Privacy (client-side only) jwt.ms privacy policy is ambiguous | Yes ★ Best | Yes | Unclear | Yes |
| Claim descriptions Toolpilot explains iss, sub, aud, exp, iat, etc. | Standard claims explained ★ Best | Minimal | Azure-specific | Minimal |
Accuracy: Toolpilot and jwt.io Lead on Edge Cases
Most JWT decoders handle well-formed tokens correctly. The differences appear on edge cases: tokens with non-standard claims, nested JWTs, and unusual algorithms. Toolpilot and jwt.io both decoded all 20 test vectors correctly.
Features: jwt.io Wins on Signature Verification
If you need to verify a JWT signature, jwt.io is the clear winner with support for HS256, RS256, ES256, and PS256. Toolpilot focuses on quick decoding with human-readable timestamps and claim descriptions.
Privacy: Be Careful Where You Paste Your Tokens
JWTs often contain sensitive data. Toolpilot, jwt.io, and token.dev all decode tokens client-side. jwt.ms has an ambiguous privacy policy regarding token processing.
Reproducible Test Code
Open your browser DevTools console and paste this JavaScript to reproduce the benchmark:
// JWT decoding benchmark
const token = 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c';
function decodeJWT(jwt) {
const parts = jwt.split('.');
return {
header: JSON.parse(atob(parts[0])),
payload: JSON.parse(atob(parts[1])),
};
}
const t0 = performance.now();
for (let i = 0; i < 10000; i++) decodeJWT(token);
console.log('10K decodes: ' + (performance.now() - t0).toFixed(1) + ' ms');Conclusion
For quick JWT inspection, Toolpilot offers the best developer experience with instant decoding, human-readable timestamps, and claim descriptions. For signature verification, jwt.io remains the gold standard.
No signup required. Works entirely in your browser.
Frequently Asked Questions
Is it safe to paste JWTs into online tools?
Client-side tools like Toolpilot and jwt.io are safe as your token never leaves the browser. Avoid pasting production tokens into server-side tools.
Can I edit a JWT payload and re-sign it?
You can change the payload but without the signing secret/key, the signature will be invalid. jwt.io lets you re-sign if you know the secret.
Why is my JWT expired but still works?
JWT expiration (exp claim) is enforced by the server, not the token itself. If a server does not check exp, expired tokens will still be accepted.