JWT Decoder
Decode, inspect, and verify JSON Web Tokens with our comprehensive JWT tool. View header and payload with claim explanations, verify HMAC signatures (HS256, HS384, HS512), check expiration status, and encode new tokens.
All JWT operations happen in your browser. Your tokens and secrets are never sent to any server.
Embed This Tool
Add this tool to your website with customizable styling
How to Use
- 1 Paste your JWT token — Paste your JWT token in the input field. The token is automatically parsed and validated. You can also use the Sample JWT button to see an example token.
- 2 View decoded header and payload — See the decoded header (algorithm, type) and payload with formatted JSON. Standard claims like iss, sub, exp, iat are explained with helpful descriptions.
- 3 Check token status — Instantly see if your token has a valid structure, whether it's expired, and when it expires. Expiration time is shown in human-readable format.
- 4 Verify signature (optional) — Enter your secret key to verify HMAC signatures (HS256, HS384, HS512). The verification uses Web Crypto API for secure, client-side processing.
- 5 Encode new tokens (optional) — Switch to Encode mode to create new JWT tokens. Enter your header and payload JSON, select the algorithm, provide your secret key, and generate a signed token.
Frequently Asked Questions
What are the three parts of a JWT?
A JWT consists of three Base64-encoded parts separated by dots: the Header (contains algorithm and token type), the Payload (contains claims/data), and the Signature (verifies the token hasn't been tampered with).
What do the standard claims mean?
iss (issuer) identifies who created the token, sub (subject) is typically the user ID, aud (audience) specifies intended recipients, exp (expiration) is when the token expires, nbf (not before) is when the token becomes valid, iat (issued at) is creation time, jti (JWT ID) is a unique identifier.
Which signature algorithms are supported?
We support HMAC algorithms: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). These use symmetric keys where the same secret is used for signing and verification. RSA and ECDSA algorithms are displayed but not verified client-side.
Is it safe to paste my JWT tokens here?
Yes! All JWT decoding and verification happens entirely in your browser using JavaScript. Your tokens and secrets are never sent to any server. However, never share your JWT tokens or secrets publicly as they may contain sensitive information.
Why can anyone decode my JWT?
JWT tokens are Base64-encoded, not encrypted. The signature only verifies integrity (that the token wasn't modified), not confidentiality. Never put sensitive data like passwords in JWT payloads. For sensitive data, use encryption or store it server-side.
What's the difference between HS256 and RS256?
HS256 uses a symmetric secret (same key for signing and verifying), while RS256 uses asymmetric keys (private key for signing, public key for verifying). HS256 is simpler but requires sharing the secret. RS256 is more secure for distributed systems where verifiers shouldn't have signing capability.
How do I create a new JWT?
Switch to Encode mode using the toggle at the top. Enter your header JSON (with algorithm and type), your payload JSON (with your claims), and your secret key. Click Generate Token to create a signed JWT that you can use in your applications.
My token shows as expired but should be valid?
JWT expiration (exp claim) uses Unix timestamps (seconds since Jan 1, 1970). Make sure your server's clock is synchronized. The tool uses your browser's local time for comparison. Also check that the exp value is in seconds, not milliseconds.