JWT Decoder

Decode JSON Web Tokens to inspect header and payload. Verify HMAC-SHA256 signatures and check token expiration. Everything runs in your browser.

Paste any JWT token to see its contents. The token is only decoded, not decrypted — JWT payloads are Base64-encoded, not encrypted. Never store sensitive data in JWT payloads.

JWT Token

Verify Signature

Secret Key: Supports HS256 (HMAC-SHA256) verification. The key is never sent to any server.

Header ALGORITHM & TOKEN TYPE

Payload CLAIMS / DATA

Signature VERIFICATION

How It Works

This JWT decoder processes your token entirely in your browser — no data is sent to any server. Paste a JWT token and click "Decode" to see its contents instantly.

JWT Structure

A JWT consists of three Base64-encoded parts separated by dots: Header (algorithm and token type), Payload (claims and user data), and Signature (verification hash). The decoder splits the token, decodes each part, and displays the JSON content with syntax highlighting.

Standard Claims

The decoder recognizes standard JWT claims: exp (expiration time), iat (issued at), nbf (not before), sub (subject), iss (issuer), aud (audience), and jti (JWT ID). Timestamp claims are automatically converted to human-readable dates.

Signature Verification

Enable "Verify Signature" and enter your HMAC secret key to verify the token's signature. The tool supports HS256 (HMAC-SHA256) — the most common JWT signing algorithm. A green message confirms a valid signature; red indicates tampering or wrong key.

Expiration Check

If the payload contains an exp claim, the decoder automatically checks whether the token is still valid or has expired, showing the exact expiration time and remaining/elapsed duration.

Privacy First

All processing runs locally in your browser using JavaScript and the Web Crypto API. Your token and secret key never leave your device — there are no server requests, no cookies, and no tracking.

Frequently Asked Questions (FAQ)

Q: What is a JWT?

A: A JWT (JSON Web Token) is a compact, URL-safe token used for authentication and data exchange. It consists of three parts: Header, Payload, and Signature. JWTs are widely used in APIs, single-page applications, and mobile apps.

Q: Is my JWT stored on the server?

A: No. All decoding and verification happens directly in your browser. Your token is never sent to any server.

Q: Can this tool verify JWT signatures?

A: Yes. Enable "Verify Signature" and enter your secret key. The tool supports HS256 (HMAC-SHA256) verification using the Web Crypto API.

Q: What does the expiration check show?

A: If the payload contains an exp claim, the tool shows the expiration date, whether the token is valid or expired, and how much time is left or has passed.

Q: What are the three parts of a JWT?

A: Header contains the algorithm and type. Payload contains claims (user data, expiration, issuer). Signature is created by signing header + payload with a secret key.

Q: Is JWT decoding the same as decryption?

A: No. JWT payload is only Base64-encoded, not encrypted. Anyone can read the contents. The signature only prevents tampering. Never store passwords in JWT payloads.

Q: What algorithms are supported for verification?

A: This tool supports HS256 (HMAC-SHA256), the most common JWT signing algorithm. RSA and ECDSA require key pairs and are not supported in this browser-based tool.

Q: Is this tool free?

A: Yes, completely free with no registration required. Use it as many times as you need.