JWT Decoder & Verifier

JWT Decoder & Verifier

Decode any JSON Web Token, inspect its claims, verify the signature (HS, RS, ES, PS) and build new tokens — 100% in your browser.

Header


          

Payload


          

Signature


        

Verify Signature

Algorithm: —

Recent Tokens

How to Use the JWT Decoder

  1. Paste your token. Drop a JWT into the box, click Paste, or load the sample to explore.
  2. Read the decoded data. The header, payload and signature appear instantly, with claims like expiry shown in plain language.
  3. Verify the signature (optional). Enter the HMAC secret or paste a public key, then click Verify to confirm the token is authentic and untampered.
  4. Generate tokens. Switch to Encode, edit the header and payload, choose an algorithm, supply a key and create a freshly signed JWT.

What Is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It is made of three Base64URL-encoded parts separated by dots: a header (the signing algorithm and token type), a payload (the claims — data such as user ID, roles and expiry), and a signature that proves the token has not been altered.

JWTs are widely used for authentication and authorization. After you log in, a server issues a signed token; your app then sends it with each request so the server can trust who you are without storing a session. Because the payload is only encoded (not encrypted), anyone can read it — which is exactly why this decoder works without any key.

This tool decodes tokens entirely in your browser and can also verify the signature using the Web Crypto API for HMAC (HS256/384/512), RSA (RS & PS), and ECDSA (ES) algorithms. Nothing — not your token, secret or keys — is ever sent to a server.

Common Use Cases

🔍 Debug auth issuesInspect a token's claims to see why a login or API call is being rejected.
⏳ Check expiryInstantly see whether a token is active, expired, or not yet valid.
🔒 Verify authenticityConfirm a token's signature with your secret or public key before trusting it.
📝 Build test tokensGenerate signed JWTs with custom claims for testing APIs and middleware.
👤 Read user infoPull out subject, roles, issuer and audience without writing any code.
🚀 Learn how JWTs workSee the header, payload and signature side by side to understand the structure.

Why Choose This JWT Tool

  • 100% privateTokens, secrets and keys are processed locally and never uploaded.
  • Real signature verificationHS, RS, PS and ES algorithms verified with native Web Crypto.
  • Smart claim insightsExpiry, issued-at and not-before shown as readable dates and status.
  • Built-in generatorCreate and sign new tokens with custom headers and payloads.
  • Color-coded & highlightedHeader, payload and signature are clearly separated and syntax-highlighted.
  • Free & unlimitedNo sign-up, no limits, no watermark, works on desktop and mobile.

Frequently Asked Questions

Is my token sent to a server?
No. Decoding, verification and signing all happen locally in your browser using JavaScript and the Web Crypto API. Your tokens, secrets and keys never leave your device.
Can anyone read a JWT?
Yes. The header and payload are only Base64URL-encoded, not encrypted, so anyone can decode and read them. The signature does not hide the data — it only proves the token was not altered. Never put secrets in a JWT payload.
Which algorithms can it verify?
HMAC (HS256, HS384, HS512) using a shared secret, plus RSA (RS256/384/512), RSA-PSS (PS256/384/512) and ECDSA (ES256/384/512) using a public key in PEM or JWK format.
What does "signature invalid" mean?
It means the secret or key you supplied does not match the one used to sign the token, or the token has been modified. A valid result confirms both the key matches and the contents are intact.
What is the difference between encoding and encryption?
A JWT is encoded and signed, not encrypted. Encoding makes data URL-safe and readable by anyone; encryption hides it. For confidential data you would use JWE (encrypted tokens) instead.
Why is my token expired?
The exp claim holds an expiry time. If the current time is past it, the token is expired and most servers will reject it. This tool shows the exact expiry date and a live status badge.

Related Tools

Scroll to Top