Developer Tools

JWT Decoder & Verifier

Decode and inspect JSON Web Tokens instantly. View color-coded header and payload, claim explanations, expiration status, and verify HMAC signatures — all in your browser.

100% local
Runs in your browser
Zero sent
No tracking, no servers

Header

Payload

Verify Signature

How to use

  1. 1
    Paste your JWT token — copy your JWT from your application, API response, or developer tools and paste it into the input field above.
  2. 2
    View decoded header and payload — see the decoded JSON with syntax highlighting and human-readable labels for standard claims like Issuer, Subject, and Expiration Time.
  3. 3
    Check the expiration status — instantly see whether the token is expired or still valid, with relative time display (e.g., "Expired 2h ago" or "Expires in 3d").
  4. 4
    Verify HMAC signature — optionally enter your secret key to verify HS256, HS384, or HS512 signatures using the Web Crypto API, entirely in your browser.

Frequently asked questions

What is a JWT (JSON Web Token)?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature.
Can this tool verify my JWT signature?
Yes, this tool can verify HMAC signatures (HS256, HS384, HS512) using the Web Crypto API. Enter your secret key and click Verify to check if the signature is valid. All verification happens in your browser.
What JWT claims are explained?
The tool labels standard JWT claims including iss (Issuer), sub (Subject), aud (Audience), exp (Expiration Time), nbf (Not Before), iat (Issued At), jti (JWT ID), and common claims like name, email, roles, and permissions. Timestamp claims are formatted as human-readable dates.
Is it safe to paste my JWT here?
Yes. This tool runs entirely in your browser using JavaScript. Your JWT token is never sent to any server. The decoding and verification all happen client-side in your browser's memory.
Does this tool support RSA or ECDSA verification?
Not yet. Currently only HMAC algorithms (HS256, HS384, HS512) can be verified. RSA and ECDSA signature verification is planned for a future update.