JWT Decoder

Decode and inspect JSON Web Tokens

Encoded JWT

Secret/Public Key (Optional - for signature verification)

Header

Payload

Signature

How to Use JWT Decoder

Step 1: Paste Your JWT Token

Copy your JWT token from your application or API response and paste it into the "Encoded JWT" textarea above. The token will be automatically decoded as you type.

Step 2: View Decoded Information

The decoder will instantly display three parts of your JWT:

Header: Contains metadata about the token, including the algorithm used (e.g., HS256, RS256) and token type.
Payload: Contains the claims or data stored in the token, such as user ID, expiration time, and custom fields.
Signature: The encoded signature used to verify the token's authenticity.

Step 3: Verify Signature (Optional)

To verify if your JWT signature is valid, enter the key in the "Secret/Public Key" field:

For HMAC (HS256, HS384, HS512): Enter the secret key as plain text
For ECDSA (ES256, ES384, ES512): Enter the public key in PEM format or JWK JSON format

The decoder will:

Show a green "Valid Signature" message if the signature matches
Show a red "Invalid Signature" message with reason if the signature doesn't match
Show an info message if the algorithm is not supported for verification

Note: Currently supports HMAC (HS256, HS384, HS512) and ECDSA (ES256, ES384, ES512) algorithms. RSA verification coming soon.

Security & Privacy

All JWT decoding and verification happens locally in your browser. No data is sent to any server, ensuring your tokens and secrets remain private and secure.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and information exchange in web applications.

JWT Structure

A JWT consists of three parts separated by dots (.):

Header.Payload.Signature

Each part is Base64URL encoded, making it safe for use in URLs and HTTP headers.