JWT Decoder

Paste a JWT and instantly see its header, payload, and signature. Verify HS256/HS384/HS512 signatures by providing the shared secret.

100% Free
No Signup
Works on Mobile
Browser-side

Everything runs in your browser — input never reaches our servers.

Ad slot · DEV-TOP · horizontal

JWT

Header

{"alg":"HS256","typ":"JWT"}

Payload

{"sub":"1234567890","name":"John Doe","iat":1516239022}

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Verify HS256 / HS384 / HS512 signature

Shared secret

Ad slot · DEV-BOTTOM · horizontal

What is a JWT

A JSON Web Token (JWT) is a compact, URL-safe way to transmit signed claims between two parties. It has three base64url-encoded segments separated by dots: a header (algorithm and token type), a payload (the actual claims), and a signature that proves the token wasn't modified after signing.

Verifying signatures safely

This decoder verifies HMAC family signatures (HS256, HS384, HS512) using the WebCrypto API and a secret you provide. RSA and ECDSA signatures (RS256, ES256) are decoded for inspection but not verified — pasting a private key into a browser tool is risky and defeats the purpose of asymmetric crypto. Verify those server-side instead.

Frequently asked

Questions about this tool

Is the JWT decoder free?

Yes — completely free, no signup, no quota. Decode as many tokens as you need.

Are my tokens uploaded?

No. The header and payload are decoded locally using base64url decoding in your browser. Your token never leaves the page.

Which signing algorithms can be verified?

HS256, HS384, and HS512 verification is supported with a shared secret you provide. Asymmetric algorithms (RS256, ES256) are decoded for inspection but not verified — pasting a private key in a browser tool is risky and not encouraged.

Why is my signature invalid?

Most often the secret is wrong, the algorithm differs from what's in the header, or the token was modified after signing. Decoded payloads with no signature verification are still useful for debugging — just don't trust them in production.

What's a JWT made of?

Three base64url-encoded segments joined with dots: header (algorithm + type), payload (claims), and signature (proof the token wasn't tampered with). The decoder shows each part on its own panel.

More developer tools

Related tools

Developer Tools

Password Generator

Create strong, random passwords with adjustable length, symbols, and pronounceable options. 100% offline.

1991 users/month

Developer Tools

JSON Formatter & Validator

Format, validate, minify, and convert JSON with syntax error highlighting and JSONPath query support.

1896 users/month

Developer Tools

Base64 Encoder & Decoder

Encode and decode Base64 strings, files, and images instantly with URL-safe and standard variants.

1361 users/month

Developer Tools

URL Encoder & Decoder

Percent-encode and decode URLs, query parameters, and components for safe links and API requests.

New544 users/month

Developer Tools

UUID Generator

Generate v1, v4, or v7 UUIDs free in your browser. Single or batches up to 1,000. Copy or download as .txt.

New Trending941 users/month

Developer Tools

Regex Tester

Test JavaScript regex patterns live in your browser. Live match highlighting, named + numbered capture groups, all standard flags.

New Trending1462 users/month

Developer Tools

YAML ↔ JSON

Convert YAML to JSON or JSON to YAML free in your browser. Live preview, YAML 1.2 support, anchors and aliases handled.

New Trending1526 users/month

Developer Tools

CSV to JSON

Convert CSV to JSON free in your browser. Auto-detects separators (comma, semicolon, tab, pipe), handles quoted values, header toggle.

New Trending830 users/month