Home/Security Tools/JWT decoder / generator

JSON Web Token (JWT)

JWT Decoder and Generator

Works locally in your browser — no requests sent to a server.

Local only header.payload.signature
JWTPaste a token to decode automatically
Verify (HS*)Optional

Algorithm

Signature

Verification

Provide a secret to verify HS* tokens.

Header (decoded)
Payload (decoded)
Live decode Secrets stay in-browser Shows key claims (exp/iat/nbf)

What is a JWT?

A JWT is a compact string with 3 parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON. The signature prevents tampering.

Decode tips

  • Paste the JWT to decode header + payload.
  • For HS tokens, add the secret to verify the signature.
  • Check time claims (exp/nbf/iat) to see if it is active.

Security notes

  • JWTs are not encrypted; payload data is readable.
  • A “valid” signature only proves the secret/key matches — not that the token is safe to trust.
  • Always validate issuer, audience, expiry, and intended use in your app.

How it works

Decodes JWT segments locally, formats JSON, and optionally verifies HS256/384/512 signatures using your secret. Generation builds header + payload, signs (or leaves blank for alg=none), and outputs a full token.

  • Payload is not encrypted; do not paste secrets inside JWT claims.
  • Verification supports only HS* here; RSA/EC keys are not verified on this page.

Quick examples

Decode
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...
Shows header/payload JSON; alg=HS256
Generate HS256
Header: { alg: HS256 } | Payload: { sub: "user_123" }
Token with signature using your secret

Use “Send to decoder” to inspect a freshly generated token.

Mini FAQ

Can I verify RS256 here?

No, this page only verifies HS* shared-secret tokens.

What does alg=none mean?

No signature; anyone can alter the payload. Avoid in production.

How do I check expiry?

Decoded time claims (exp/nbf/iat) are summarized above after paste.