JWT Decoder

Decode and inspect any JSON Web Token. View the header, payload, and signature. Verify HS256 signatures with a secret. Check if the token is expired. All processing runs locally in your browser — nothing is sent to any server.

🔒 All processing happens locally in your browser — nothing is stored or sent to any server.

All processing happens locally in your browser — nothing is stored or sent to any server.

How to Use This JWT Decoder

  1. Paste a JWT token into the input area — or click Load sample to try it out.
  2. The token is decoded instantly — Header shows the algorithm and type, Payload shows all claims including standard ones like sub, iat, and exp.
  3. The token expiry status is shown automatically — green for valid, red for expired.
  4. Verify: enter a secret key above the button to verify HS256/HS384/HS512 signatures. Other algorithms cannot be verified locally without the public key.
  5. Click Copy Header or Copy Payload to copy individual sections.

About JWT Tokens

JSON Web Tokens (JWTs) are the dominant standard for stateless authentication in modern web applications. When you log into a site, instead of storing a session on the server, the server issues a signed JWT that the client sends with every request. The server verifies the signature to confirm the token is genuine, and reads the claims (like user ID) directly from the payload without querying a database.

JWTs are safe to decode and inspect — the header and payload are just Base64url-encoded JSON. Anyone can read them without a key. The signature is what prevents tampering: if an attacker changes a claim in the payload, the signature verification will fail because they don't have the secret key. This is why you should never accept a JWT without verifying its signature.

This tool uses the Web Crypto API to verify HMAC-based signatures (HS256, HS384, HS512) locally. For RS256 and other public-key algorithms, you would need the issuer's public key. All decoding happens in your browser — no token is ever sent to any server.

Frequently Asked Questions

What is a JWT token?

A JWT (JSON Web Token) is a compact, URL-safe standard for securely transmitting information between parties as a JSON object. It consists of three parts: a header (metadata like the algorithm), a payload (the claims/data), and a signature (which verifies authenticity). JWTs are commonly used for authentication and authorization in modern web applications.

What does a JWT decoder show?

The <strong>Header</strong> contains metadata about the token — primarily the signing algorithm (like HS256 or RS256) and the token type (always JWT). The <strong>Payload</strong> contains the claims — predefined fields like <code>sub</code> (subject, usually the user ID), <code>iat</code> (issued at), and <code>exp</code> (expiration), plus any custom claims. The <strong>Signature</strong> is the cryptographic proof that the token was signed by the issuer.

How do I verify a JWT signature?

Enter the token in the decoder, then enter the secret key (for HMAC algorithms like HS256) or leave it blank to just decode. If you have the secret, the tool will verify whether the signature is valid using the Web Crypto API. Note: only HMAC-based algorithms (HS256, HS384, HS512) can be verified locally. RS256 and other public-key algorithms require the public key.

Is my JWT sent to a server?

No. All decoding and verification happens 100% in your browser using JavaScript is built-in Base64 URL decoding and the Web Crypto API. The token never leaves your device. You can even use this tool offline once the page loads.

What does "expired" mean?

The <code>exp</code> (expiration) claim in a JWT specifies when the token becomes invalid. If the current time is past this timestamp, the token is considered expired and should not be accepted by the server. This tool shows you the expiration status and how long until expiry (or how long ago it expired).

Can I decode a JWT without a signature verification?

Yes. You can decode any JWT without a secret — the header and payload are plain Base64url-encoded JSON that can be decoded by anyone. The signature only proves the token was created by someone who knows the secret. For read-only inspection of a token (checking claims, expiry, etc.), no secret is needed.

What is the difference between HS256 and RS256?

HS256 (HMAC with SHA-256) is a symmetric algorithm — the same secret is used for both signing and verification. It is fast and simple but requires sharing the secret between all parties. RS256 (RSA with SHA-256) is asymmetric — it uses a private key to sign and a public key to verify. This is better for systems where multiple parties need to verify tokens without sharing a secret. RS256 verification requires the public key and cannot be done locally with just a secret.

1 people found this helpful Did we solve your problem? Thanks for your feedback!
Enjoying SlimUtils? If these free tools saved you time, consider buying us a coffee! Support on Ko-fi