JWT Decoder and Verifier
Decode any JSON Web Token instantly. Inspect header, payload, claim expiry. Verify HS256/HS384/HS512 with a secret or RS256 with a public key. Everything runs locally, your tokens never go to a server.
Token
Verify signature
What is a JWT?
A JSON Web Token is a compact, URL-safe encoded string with three parts separated by dots: header.payload.signature. Header and payload are Base64url-encoded JSON; the signature proves the token was issued by someone holding the secret or private key.
How to use this decoder
- Paste your JWT into the token field.
- Header and payload appear immediately, color-coded.
- Standard claims (iss, sub, exp, iat, nbf) are extracted with human-readable timestamps and validity warnings.
- To verify the signature, paste your secret (HS256/384/512) or public key in PEM format (RS256/384/512), then click Verify.
Standard claims
iss: issuer.sub: subject (typically the user id).aud: audience.exp: expiration time (Unix epoch seconds).nbf: not before.iat: issued at.jti: JWT id, unique per token.
Verifying signatures
Verification is performed using the browser's built-in SubtleCrypto API. HS256/384/512 uses a shared secret. RS256/384/512 uses an RSA public key in SPKI/PEM format. The token never leaves your machine.
Privacy
Decoding and verification are done entirely in your browser. No JWT, secret, or public key is sent to any server. Source code is small enough to inspect via "View Source" if you need to confirm.