JWT Decoder & Verifier

A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: a header, a payload, and a signature.

For HMAC algorithms (HS256, HS384, HS512), we re-sign the header.payload with your secret using the Web Crypto API and compare the result to the token's signature. Everything happens in your browser — the secret is never sent anywhere.

Yes. This tool runs 100% client-side. Your token and secret key never leave your browser — no network requests are made. You can verify this in your browser's DevTools Network tab.

Signature verification currently supports HMAC-based algorithms: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). RSA and ECDSA tokens can be decoded but not verified in-browser without a public key input (coming soon).

If the payload contains an 'exp' (expiration) claim, this tool automatically shows the expiration date and indicates whether the token has expired based on your current local time.