JWT Decode

Contact

For questions, bug reports, content corrections, or feedback about the JWT decoder tool or any of the guides on this site, the best way to reach us is by email:

hello@jwtdecode.app

What to Include

The more context you include, the faster we can respond usefully. Here is what to include for each type of message:

  • ·Bug reports: Describe the issue, what you expected to happen, and what actually happened. Include the browser name and version, the operating system, and any error messages shown. If the issue involves a specific token, describe its algorithm and structure without including the actual token contents (which may be sensitive).
  • ·Feature requests: Describe the use case — what task you were trying to accomplish and what the tool currently lacks to support it. Concrete use cases are more useful than abstract feature descriptions.
  • ·Content corrections: Include the specific page URL, the claim that appears incorrect, and a supporting reference (RFC, spec document, or authoritative source). We take accuracy seriously and act on corrections promptly.
  • ·Security issues: See the responsible disclosure section below.

Response Time

We aim to respond to all messages within 5 business days. Content corrections and security disclosures are treated as higher priority and typically receive a response within 1–2 business days.

If you do not receive a reply within 5 business days, it is possible the message was filtered as spam. Re-sending with a clear subject line (e.g., "JWT Decode bug report" or "Content correction — /jwt-claims-explained") generally resolves this.

Frequently Asked Questions

Why is there no contact form?

This site has no backend server — all JWT processing runs entirely in your browser. Adding a contact form would require a server endpoint to receive submissions, which conflicts with the privacy-first design philosophy. Email is the simplest alternative that requires no backend infrastructure and leaves no server-side logs of message content.

Is my JWT safe to share with you?

Please do not include actual JWT tokens in your email. If you need to describe an issue involving a specific token, describe its structure (algorithm, claims present, approximate expiry) without including the token value itself. JWTs often contain PII and session credentials that should not be transmitted by email.

Can I use the tool for commercial projects?

Yes. JWT Decode is a free tool with no usage restrictions for personal or commercial debugging and development work. There is no API to integrate — the tool is a browser-based application for human use.

How do I report a security vulnerability?

See the responsible disclosure section below.

Responsible Disclosure

If you discover a security vulnerability in jwtdecode.app — for example, a cross-site scripting issue, a privacy leak where token data could be transmitted without the user's knowledge, or a cryptographic verification flaw — please disclose it responsibly via email before making it public.

Send vulnerability reports to hello@jwtdecode.app with a subject line that includes "Security" so it is prioritised. Include:

  • ·A description of the vulnerability and its potential impact
  • ·Steps to reproduce the issue
  • ·Any proof-of-concept code or screenshots
  • ·Your preferred contact details for follow-up

We will acknowledge receipt within 48 hours, investigate the report, deploy a fix, and notify you when the fix is live. We ask that you allow reasonable time for a fix to be deployed before any public disclosure — typically 14 days for straightforward issues, longer for complex ones if agreed in advance.

Self-Service Resources

Before emailing, the guides on this site cover the most common questions:

Ready to decode a token?
Use the free JWT decoder — paste any token for instant results, entirely in your browser.
Open JWT Decoder