JSON Web Token (JWT)
JWT Decoder and Generator
Works locally in your browser — no requests sent to a server.
Algorithm
—
Signature
—
Verification
Provide a secret to verify HS* tokens.
What is a JWT?
A JWT is a compact string with 3 parts: header, payload, and signature. The first two parts are Base64URL-encoded JSON. The signature prevents tampering.
Decode tips
- Paste the JWT to decode header + payload.
- For HS tokens, add the secret to verify the signature.
- Check time claims (exp/nbf/iat) to see if it is active.
Security notes
- JWTs are not encrypted; payload data is readable.
- A “valid” signature only proves the secret/key matches — not that the token is safe to trust.
- Always validate issuer, audience, expiry, and intended use in your app.
How it works
Decodes JWT segments locally, formats JSON, and optionally verifies HS256/384/512 signatures using your secret. Generation builds header + payload, signs (or leaves blank for alg=none), and outputs a full token.
- Payload is not encrypted; do not paste secrets inside JWT claims.
- Verification supports only HS* here; RSA/EC keys are not verified on this page.
Quick examples
Use “Send to decoder” to inspect a freshly generated token.
Mini FAQ
Can I verify RS256 here?
No, this page only verifies HS* shared-secret tokens.
What does alg=none mean?
No signature; anyone can alter the payload. Avoid in production.
How do I check expiry?
Decoded time claims (exp/nbf/iat) are summarized above after paste.
Related tools