StackAtlas
Home/Security Tools/JWT decoder / generator

JSON Web Token (JWT)

JWT Decoder and Generator

Works locally in your browser — no requests sent to a server.

Local only header.payload.signature
JWTPaste a token to decode automatically
Verify (HS*)Optional

Algorithm

Signature

Verification

Provide a secret to verify HS* tokens.

Header (decoded)
Payload (decoded)
Live decode Secrets stay in-browser Shows key claims (exp/iat/nbf)

What is a JWT?

A JWT is a compact string with 3 parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON. The signature prevents tampering.

Decode tips

  • Paste the JWT to decode header + payload.
  • For HS tokens, add the secret to verify the signature.
  • Check time claims (exp/nbf/iat) to see if it is active.

Security notes

  • JWTs are not encrypted; payload data is readable.
  • A “valid” signature only proves the secret/key matches — not that the token is safe to trust.
  • Always validate issuer, audience, expiry, and intended use in your app.