Encode/decode Base64 strings and inspect JWT tokens instantly. Zero uploads. Your data never leaves your device.
Standard Base64 uses + and /. URL-safe Base64 replaces them with - and _. This tool auto-detects and handles both.
Base64 uses = padding to make the output length a multiple of 4. JWT tokens omit padding β this tool handles both with and without padding.
Base64 is encoding, not encryption. It is trivially reversible by anyone. Never use it to "hide" sensitive data β use proper encryption for that.
Text is encoded as UTF-8 before Base64 encoding, so emoji and non-ASCII characters are fully supported on both encode and decode.
A JWT is three Base64URL-encoded parts separated by dots: header.payload.signature. The header and payload are JSON; the signature is binary.
exp is a Unix timestamp (seconds since epoch). iat is when it was issued. nbf is "not before". This tool highlights if the token is expired.
This tool decodes the header and payload only. It cannot verify the signature without the secret key. Always verify signatures server-side before trusting a JWT.
HS256/384/512 use HMAC with a shared secret. RS256/384/512 use RSA key pairs. ES256/384/512 use elliptic curves. The algorithm is declared in the header's alg field.