Home / Tools / JWT Decoder
100% Free

Supabase JWT Decoder

Paste a Supabase JWT token to decode it. See all claims, check expiration, and understand what each field means.

Header
Payload
Signature

Token Status

Checking...

Header
Payload (Claims)

Supabase JWT Security Tips

Never expose JWTs in client-side code. They should be stored securely (httpOnly cookies or secure storage).
The role claim determines RLS behavior. "anon" bypasses no policies, "authenticated" has user context, "service_role" bypasses ALL RLS.
Check the exp claim regularly. Expired tokens should be refreshed using the refresh token.
Supabase anon keys are meant to be public, but service_role keys should NEVER be exposed in client code.

Check if this token is exposed in your app

Scan your website to see if any API keys or tokens are accidentally leaked in client-side code.

Scan for Exposed Keys

More Free Tools

RLS Policy Generator

Generate Row Level Security policies

Security Checklist

Interactive Supabase security audit

API Key Identifier

Identify any API key type instantly