D

JWT Decoder / Debugger

Decode JWT headers and payloads, inspect claims, and optionally verify HS256 signatures — all in your browser.

Runs 100% in your browser — nothing is uploaded

About this tool

The JWT Decoder parses any JSON Web Token (JWT) and displays the header, payload, and signature in a readable format. It highlights standard claims: iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), and nbf (not before). Expiration and issued-at timestamps are converted to human-readable dates automatically.

For HS256-signed tokens, you can optionally enter the secret key to verify the signature locally using the browser's Web Crypto HMAC implementation. The tool never sends your token or secret to any server — verification happens entirely client-side, in the same tab.

JWTs are Base64url-encoded JSON split into three parts separated by dots. This tool also handles malformed or expired tokens gracefully, showing the decoded content with a clear warning about validity state. Common use cases: debugging authentication flows, inspecting claims from an OAuth/OIDC provider, checking token expiry, and verifying the algorithm used in the header.

Frequently asked questions

Is it safe to paste my JWT into this tool?
Yes — this tool makes zero network requests. Your token is decoded entirely in JavaScript running in your browser tab. Open DevTools → Network to verify. That said, treat production JWTs as sensitive; avoid pasting long-lived admin tokens into any online tool as a general practice.
Why does it show the payload but say "signature not verified"?
Decoding (Base64url decode of the payload) and verification are different operations. Anyone can decode the payload — JWTs are not encrypted by default. Signature verification requires the secret key and proves the token was issued by a trusted party.
What is the difference between RS256 and HS256?
HS256 uses a shared HMAC secret (symmetric). RS256 uses an RSA private key to sign and a public key to verify (asymmetric). RS256 is preferred for public APIs where you cannot safely share a secret. This tool currently supports HS256 verification; RS256 requires the public key.
Can a JWT be encrypted?
Yes — JWE (JSON Web Encryption) wraps an encrypted payload. Standard JWTs (JWS) are only signed, not encrypted, so the payload is readable by anyone. Do not put secrets in standard JWT payloads.

Related tools

Base64 Encode / Decode

Encode text or binary to Base64 and decode it back — with full UTF-8 support.

HMAC Generator

Generate HMAC-SHA256, HMAC-SHA512 and other HMAC digests using browser Web Crypto.