JWT Token Decoder

Decode, inspect, and verify JSON Web Tokens in your browser — free, no signup, no server calls.

Try a sample:

Signature Verification

Algorithm

Subject (sub)

Name

Role

Secret (for HS256 signing)

Expiration (minutes from now)

What is a JWT Token?

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and authorization in modern web applications and APIs. They consist of three parts: Header, Payload, and Signature.

How Does a JWT Token Work?

A JWT is structured as three Base64-encoded strings separated by dots: header.payload.signature. The header specifies the signing algorithm (typically HS256 or RS256). The payload contains claims — data about the user and metadata like expiration time (exp). The signature proves the token hasn't been tampered with.

Is JWT Token Encoding or Encryption?

JWT tokens are encoded, not encrypted. The header and payload are simply Base64-encoded — anyone can decode and read them. The signature only ensures the token hasn't been modified. This means you should never store sensitive data like passwords or credit card numbers in a JWT payload.

What Does This Tool Do?

Our JWT Decoder lets you decode any JWT token and view its header, payload, and signature in readable JSON format. You can verify the HMAC-SHA256 signature with your secret key, and generate test JWT tokens with custom payloads — all running entirely in your browser.

Frequently Asked Questions

Can I decode a JWT without the secret key?

Yes. JWT header and payload are Base64-encoded, not encrypted, so anyone can decode and read them. The secret key is only needed to verify or create the signature.

How do I know if a JWT has expired?

Check the exp (expiration) claim in the payload. It's a Unix timestamp. If the current time is past that value, the token is expired. This tool automatically detects and warns about expired tokens.

What's the difference between HS256 and RS256?

HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification — simpler but less secure. RS256 (RSA-SHA256) uses a public/private key pair — the private key signs the token and the public key verifies it, making it safer for distributed systems.

Can I store passwords in a JWT?

No. JWT payloads are not encrypted — they're only Base64-encoded. Anyone who intercepts the token can read its contents. Only store non-sensitive user identifiers like user ID, name, and roles.

Does this tool store or send my tokens?

No. All JWT decoding, verification, and generation runs 100% in your browser using JavaScript. Your tokens never leave your machine.