Can I verify the signature?

Yes, for HS256, HS384, and HS512 (HMAC) algorithms. Paste your shared secret and click Verify. The tool uses the browser's SubtleCrypto API to recompute the HMAC and compare it to the token's signature.

JWT Decoder Online — Decode & Inspect JSON Web Tokens

Token

Verify signature (HS256/HS384/HS512)

Header

Paste a token to decode

Payload

Paste a token to decode

Signature

Paste a token to decode

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe credential used to securely transmit information between parties as a JSON object. JWTs are widely used for authentication, session tokens, API keys, and OAuth 2.0 access tokens across web and mobile applications.

A JWT always has three parts separated by dots: header.payload.signature. Each part is Base64URL-encoded. The header declares the signing algorithm, the payload carries the claims (the data), and the signature is a cryptographic checksum that proves the token has not been tampered with.

How to decode a JWT online

Step 1: Copy your JWT (it looks like a long string of letters, numbers, and dots).
Step 2: Paste it into the "Token" field above. Decoding happens instantly as you type.
Step 3: Inspect the decoded header, payload, and signature in the panels on the right.
Step 4 (optional): To verify an HS256/HS384/HS512 signature, paste your shared secret into the verify field and click Verify.

Common JWT claims

Claim	Meaning	Example
`iss`	Issuer — who created and signed the token	`"https://auth.example.com"`
`sub`	Subject — the user/entity the token is about	`"user_42"`
`aud`	Audience — who the token is intended for	`"my-api"`
`exp`	Expiration time (Unix seconds). Token is invalid after this.	`1893456000`
`nbf`	Not-before — token not valid before this time	`1700000000`
`iat`	Issued-at — when the token was created	`1700000000`
`jti`	JWT ID — unique identifier (for revocation lists)	`"a1b2c3d4"`

Is JWT decoding safe?

Decoding a JWT does not reveal the secret. The header and payload are Base64-encoded, not encrypted — anyone with the token can read them. The signature is what proves authenticity, and verifying it requires the secret (for HMAC) or the public key (for RSA/ECDSA).

This tool runs 100% in your browser. Your tokens are never sent to our servers, logged, or stored anywhere. Pasting a production token here is safe — but treat the token itself like a password and rotate it if it has leaked elsewhere.

Frequently Asked Questions

Why are my JWT claims unreadable?

JWT payloads are Base64URL-encoded JSON. To a human, they look like random characters, but they're not encrypted — just encoded. This tool decodes the Base64 and pretty-prints the JSON so you can read it.

Can I verify RS256 / ES256 signatures here?

Not yet — this version supports HS256, HS384, and HS512 (HMAC-based) verification, which uses a shared secret. RSA and ECDSA verification require a public key and will be added in a future update.

My token says "expired" but I just received it — why?

Check your system clock. The "expired" check compares the exp claim (Unix timestamp) against your browser's local time. A clock that's out of sync by even a few minutes can make a fresh token appear expired.

Is the signature part decoded?

The signature is shown raw (Base64URL-encoded). Unlike the header and payload, it's not JSON — it's a cryptographic hash of base64(header).base64(payload) signed with the secret or private key. You can only meaningfully "decode" it by verifying it against the original data and key.

Does this tool store my tokens?

No. Decoding happens entirely in your browser using JavaScript. Nothing is sent to any server, saved to localStorage, or logged. Close the tab and your token is gone.

🔑 JWT Decoder & Inspector

Token

Header

Payload

Signature

What is a JWT?

How to decode a JWT online

Common JWT claims

Is JWT decoding safe?

Frequently Asked Questions

Related Developer Tools