JWT Decoder & Verifier
Decode, inspect, and verify JSON Web Tokens. Signature verification runs entirely in your browser — your secret never leaves this page.
Frequently Asked Questions
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: a header, a payload, and a signature.
How does signature verification work?
For HMAC algorithms (HS256, HS384, HS512), we re-sign the header.payload with your secret using the Web Crypto API and compare the result to the token's signature. Everything happens in your browser — the secret is never sent anywhere.
Is it safe to paste my secret key here?
Yes. This tool runs 100% client-side. Your token and secret key never leave your browser — no network requests are made. You can verify this in your browser's DevTools Network tab.
What algorithms are supported?
Signature verification currently supports HMAC-based algorithms: HS256 (HMAC-SHA256), HS384 (HMAC-SHA384), and HS512 (HMAC-SHA512). RSA and ECDSA tokens can be decoded but not verified in-browser without a public key input (coming soon).
How do I know if my JWT is expired?
If the payload contains an 'exp' (expiration) claim, this tool automatically shows the expiration date and indicates whether the token has expired based on your current local time.