JWT Decoder / Inspector / Validator

Decode, inspect, and verify JWT tokens — header, payload, claims, and HMAC signatures. Everything runs in your browser

JWT Token 0 chars

Samples:

Header

Payload

Time Status

Signature

Claims

Claim	Value	Meaning	Status

Warnings

Paste a JWT token above and click Decode to inspect its contents.

Paste a JWT token above to validate its structure and claims.

HMAC Secret Local only

RSA and EC signature verification

RSA and EC signature verification requires importing public keys via the Web Crypto API. This feature is planned for a future update.

For HMAC-based tokens (HS256, HS384, HS512), full signature verification is available now using the HMAC Secret option.

RSA and EC signature verification

RSA and EC signature verification requires importing public keys via the Web Crypto API. This feature is planned for a future update.

For HMAC-based tokens (HS256, HS384, HS512), full signature verification is available now using the HMAC Secret option.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format for securely transmitting information between parties. It consists of three Base64URL-encoded parts separated by dots.

eyJhbGci...(Header).eyJzdWIi...(Payload).SflKxwRJ...(Signature)

Header

The header typically contains two fields: the signing algorithm (alg) and the token type (typ).

{"alg": "HS256", "typ": "JWT"}

Payload (Claims)

The payload contains claims — statements about the user and metadata. Standard claims include:

Claim	Name	Description
`iss`	Issuer	Who issued the token
`sub`	Subject	Who the token is about
`aud`	Audience	Intended recipient of the token
`exp`	Expiration	When the token expires (Unix timestamp in seconds)
`nbf`	Not Before	Token is not valid before this time
`iat`	Issued At	When the token was created
`jti`	JWT ID	Unique identifier for the token

Signature

The signature is created by encoding the header and payload, joining them with a dot, and signing with the algorithm specified in the header.

HMAC-SHA256(
base64UrlEncode(header) + "." + base64UrlEncode(payload),
secret
)

Common Misconceptions

✕ "JWTs are encrypted" — Standard JWTs (JWS) are only signed, not encrypted. The payload can be read by anyone who has the token.

✕ "Decoding a JWT means it's trusted" — Decoding only reads the content. Without signature verification, the token could have been tampered with.

✕ "alg: none is harmless" — The none algorithm means no signature. Accepting it can allow attackers to forge tokens. Always reject alg: none in production.

Security Best Practices

✓Always verify the signature before trusting any claims

✓Check exp, nbf, and iat claims for time validity

✓Validate the issuer (iss) and audience (aud) claims

✓Never store sensitive data (passwords, credit cards) in the payload

✓Use strong secrets for HMAC and rotate keys regularly

✓Prefer asymmetric algorithms (RS256, ES256) for public-facing APIs

All decoding, validation, and signature verification happens in your browser. Your JWT and secrets are never sent to any server.

Tips

Decode Does Not Mean Trust

Anyone can decode a JWT — Base64URL is not encryption. Decoding reveals the contents, but only signature verification proves the token has not been tampered with.

Check Expiration Before Use

The exp (expiration) claim is a Unix timestamp in seconds. Always check that it is in the future before trusting a token. This tool shows the time status instantly.

alg: none Is a Security Risk

The "none" algorithm means the token has no signature. Accepting it in production can allow attackers to forge tokens. Always reject alg: none on your server.

JWTs Are Not Encrypted by Default

Standard JWTs (JWS) are only signed, not encrypted. The payload is readable by anyone with the token. Never store passwords, credit card numbers, or other secrets in a JWT payload.

Common Use Cases

🔌

API Debugging

Paste access tokens from API responses to quickly inspect claims, check expiration, and verify the issuer without leaving your browser.

🔐

Auth Flow Testing

Decode tokens at each step of OAuth2 or OpenID Connect flows to verify that the correct scopes, audience, and claims are present.

⏱️

Token Expiration Monitoring

Check when tokens expire to debug session timeout issues. The tool shows human-readable time differences like "expires in 14 minutes".

⚙️

CI/CD Pipeline Verification

Verify that service-to-service tokens contain the expected claims before deploying. Paste tokens from pipeline logs to inspect them.

🛡️

Security Auditing

Inspect tokens for sensitive data leaks (PII in payload), weak algorithms (alg: none), or missing security claims (exp, aud, iss).

Frequently Asked Questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe format for transmitting information between parties as a JSON object. It consists of three Base64URL-encoded parts: header, payload, and signature, separated by dots.

Is a JWT encrypted?

Standard JWTs (JWS — JSON Web Signature) are signed but NOT encrypted. The payload can be read by anyone. JWE (JSON Web Encryption) tokens are encrypted, but they are a different format with 5 segments instead of 3.

Can I trust a decoded JWT?

No. Decoding only reveals the contents — it does not verify authenticity. Anyone can create a JWT with any payload. You must verify the cryptographic signature to trust the claims.

What is the difference between decoding and verifying?

Decoding reads the Base64URL-encoded header and payload. Verifying checks the cryptographic signature to ensure the token was issued by a trusted party and has not been tampered with. Always verify before trusting.

Why is my token showing as expired?

The exp claim is a Unix timestamp in seconds. If this time is in the past, the token has expired. Check the exp value and compare it with the current time. Time zone differences do not affect this — Unix timestamps are always UTC.

What does the alg field mean?

The alg (algorithm) field in the header specifies the cryptographic algorithm used to sign the token. Common values: HS256 (HMAC with SHA-256), RS256 (RSA with SHA-256), ES256 (ECDSA with P-256 and SHA-256).

What is Base64URL encoding?

Base64URL is a variant of Base64 that replaces + with - and / with _, and removes padding (=). This makes the output safe for URLs and filenames. JWT uses Base64URL for both the header and payload segments.

Is my token or secret sent to any server?

No. All decoding, validation, and signature verification happens entirely in your browser using JavaScript and the Web Crypto API. Your JWT and secrets never leave your device.

Can I verify HS256 tokens here?

Yes. This tool fully supports HMAC signature verification (HS256, HS384, HS512) using the Web Crypto API. Enter your secret in the Verify tab to check if the signature is valid.

Why are JWE tokens not supported?

JWE (JSON Web Encryption) tokens have 5 segments and require a decryption key to read the payload. This tool focuses on JWS (signed) tokens which have 3 segments. JWE support may be added in a future update.

JWT Decoder / Inspector / Validator

What is a JWT?

Header

Payload (Claims)

Signature

Common Misconceptions

Security Best Practices

Tips

Decode Does Not Mean Trust

Check Expiration Before Use

alg: none Is a Security Risk

JWTs Are Not Encrypted by Default

Common Use Cases

API Debugging

Auth Flow Testing

Token Expiration Monitoring

CI/CD Pipeline Verification

Security Auditing

Frequently Asked Questions

Related Tools