About JWT Decoder

Paste a JSON Web Token and instantly see its decoded header, payload, and signature, then cryptographically verify the signature right in your browser. The decoder splits the three Base64URL-encoded segments, parses the JSON, and checks <code>exp</code> and <code>nbf</code> against the current time to flag expired or not-yet-valid tokens. Registered claims are explained in a reference table and timestamps are shown as human-readable dates. For verification, supply the HMAC secret (HS256/384/512) or the issuer’s public key as PEM or JWK (RS, PS, and ES families) — the Web Crypto API checks the signature locally. Everything runs client-side; no token, secret, or key ever leaves your browser.

  • Decodes header and payload from Base64URL with full UTF-8 handling for multibyte claims
  • Validates three-part JWT structure and reports malformed tokens
  • Flags expired (<code>exp</code>) and not-yet-valid (<code>nbf</code>) tokens against the current time
  • Verifies signatures client-side for HS256/384/512, RS256/384/512, PS256/384/512, and ES256/384/512
  • Accepts the HMAC secret, or an asymmetric public key as PEM (SPKI) or JWK JSON
  • Explains registered claims (iss, sub, aud, exp, nbf, iat, jti, azp, scope, …) in a reference table

Frequently Asked Questions

Does this tool verify the JWT signature?
Yes. Provide the HMAC secret for HS-family tokens, or the issuer’s public key (PEM or JWK) for RS/PS/ES tokens, and the signature is verified cryptographically using your browser’s Web Crypto API. Without a key it still decodes the token for inspection.
Is it safe to paste my JWT, secret, or key here?
Yes. Decoding and verification happen entirely in your browser via Web Crypto; no token, secret, or key is ever sent over the network.
Which algorithms are supported for verification?
HS256/384/512 (HMAC), RS256/384/512 (RSASSA-PKCS1-v1_5), PS256/384/512 (RSA-PSS), and ES256/384/512 (ECDSA). The insecure "none" algorithm is reported as unsigned.

More Development Tools

All Development tools