JWT Decoder
Decode and inspect JWT tokens in your browser. Optional HS256 signature verification. No data sent to any server.
Paste a token to decode it.
What a JWT is and how it works
A JWT (JSON Web Token, standard RFC 7519) is a compact format for transmitting information between two parties in a verifiable way. It underpins authentication for much of the modern web: after login a server issues a token that the client sends with every subsequent request to prove its identity. A JWT has three dot-separated parts — header, payload and signature — each Base64URL-encoded, making it a single string that travels easily in an HTTP header.
The header describes the token type and signing algorithm (for example HS256 or RS256). The payload holds the "claims" — statements about the user and the token: standard registered claims like sub (subject), iat (issued at), exp (expiration) and nbf (not before), plus any custom application claims. This tool decodes the header and payload in real time as you type and shows the dates in a readable format, flagging whether the token has expired.
It is essential to understand that decoding a JWT is not the same as verifying it: the header and payload are merely Base64URL-encoded, not encrypted, so anyone holding the token can read its contents. The signature is what guarantees the token has not been tampered with and comes from who it claims to. For an HS256 token you can verify the signature here by entering the shared secret: the HMAC-SHA256 computation runs entirely in your browser via the Web Crypto API, so neither the token nor the secret ever leaves your device. For this reason, never paste a production token into online tools you do not trust.
Frequently asked questions
- Does decoding a JWT verify it?
- No. The header and payload are only Base64URL-encoded, not encrypted: anyone with the token can read its contents. Only verifying the signature — with the secret (HS256) or the public key (RS256) — proves the token is authentic and untampered.
- Are the token or the secret sent to a server?
- No. Decoding and the HMAC-SHA256 verification happen entirely in your browser via the native atob and Web Crypto APIs. Neither the token nor the secret ever leaves your device.
- Why can I only verify HS256 tokens?
- HS256 uses a symmetric shared secret, easy to enter and verify in the browser. RS256 and other asymmetric algorithms require importing a public key in PEM format: for now the tool decodes any token but only verifies HS256 signatures.
- What do the iat, exp and nbf claims mean?
- They are Unix timestamps (NumericDate): iat is when the token was issued, exp the expiration after which it is no longer valid, and nbf the moment before which it must not be accepted. The tool converts them to readable dates and flags whether the token has expired.