Smart Decode
Paste anything. Smart Decode detects the encoding automatically and peels every nested layer — JWT, Base64, URL-encoding, hex, timestamps, JSON — in one pass.
Related Tools
One box that decodes anything
Most decoder tools ask you to know what you have before you start: you pick "Base64 decoder," or "JWT decoder," or "URL decoder," then paste. But in real debugging you often don't know what a mystery string is — it came out of a log line, a cookie, a database column, or a request header, and it could be any of a dozen formats, sometimes wrapped several layers deep.
Smart Decode removes that step. Paste the value and it inspects the character set, structure, and length to figure out the most likely encoding, decodes it, then repeats the process on the result until nothing recognizable is left. The output is a tree showing every layer it peeled — so a JWT whose payload contains a Base64 field that itself contains JSON is fully expanded in a single click.
Why client-side matters
The strings developers decode are frequently sensitive — session tokens, signed cookies, internal IDs. This tool never sends your input anywhere. All detection and decoding runs in your browser with plain JavaScript (atob, decodeURIComponent, JSON.parse). You can confirm it in DevTools → Network: decoding produces zero requests.
When Smart Decode saves you time
Dissecting an AWS Cognito / Auth0 / Firebase token
Managed auth providers hand you a JWT, but the interesting part is buried: custom claims, scopes, and a exp you need to check against "now." Paste the whole id_token or access_token and Smart Decode shows the header and payload at once and converts exp/iat/auth_time to readable dates — so you can confirm in seconds whether a 401 is really an expiry problem.
Debugging a signed cookie or session value
Framework session cookies (Express, Rails, Flask, Laravel) are routinely URL-encoded on the wire, Base64 underneath, and JSON inside that — sometimes with another encoded blob in one field. Instead of unwrapping each layer by hand in three separate tools, paste the raw Set-Cookie value and read the whole structure as a tree.
Inspecting an OAuth state or redirect parameter
OAuth flows pack data into the state query parameter — usually URL-encoded Base64 of a JSON object holding a CSRF nonce and a return URL. Smart Decode percent-decodes, Base64-decodes, and pretty-prints it in one click so you can verify what your app actually round-tripped through the provider.
Reading a mystery value from a log or queue message
A worker logs a payload you don't recognize, or a webhook delivers a Base64 body. Rather than guessing the format, paste it and let detection tell you what it is and reveal anything decodable nested inside.
What it can detect
| Type | Decoded? | Notes |
|---|---|---|
| JWT | Yes | Header + payload expanded; claims inspected |
| Base64 / Base64URL | Yes | Recurses into the decoded result |
| URL-encoded | Yes | Percent-decoding, then re-inspect |
| Hex | Yes | When it decodes to readable text |
| JSON | Yes | Pretty-printed; string fields decoded |
| Unix timestamp | Yes | Seconds and milliseconds → dates |
| UUID / ULID | Identify | Version detected; not "decodable" |
| MD5 / SHA / bcrypt | Identify | One-way — cannot be reversed |
For pure identification of hashes and IDs (which can't be decoded), use the companion What Is This String? tool.
⚠️ Reference Only
Output is generated based on your input and is provided for reference. Results may vary depending on your specific use case, edge cases, or environment-specific behavior. We do not guarantee accuracy of conversions, validations, or computed values.
Always verify critical outputs against official documentation or production environments. We are not responsible for any decisions or losses based on these tool results.
📖 Related Guides
JWT Anatomy — Header, Payload, Signature
Understand JWT structure, claims, and signing algorithms. Security best practices.
URL Encoding — When to Use What
encodeURI vs encodeURIComponent vs escape. Query strings, paths, and reserved characters.
Hash Algorithms — MD5, SHA-1, SHA-256, bcrypt
When to use each hash function. Security comparison and password storage best practices.