JWT Decoder & Verifier
Client-Side SecureDecode JWTs (JSON Web Tokens) locally in your browser. Inspect header/payload/signature, view exp/nbf/iat as real dates, detect insecure.y decoded JSON instantly.
JWT Decoder & Verifier
Decoded data will appear here
Paste a JWT above. This tool supports Bearer headers, JSON responses that contain a token, and signature verification when keys are provided.
Is this tool broken?
Let us know if you found a bug or have a feature request.
JWT Decoder, JWT Debugger & JWT Signature Verifier (HS256 / RS256 / PS256 / ES256)
Decode and analyze JSON Web Tokens (JWT) in seconds. This tool splits a token into Header, Payload, and Signature, then shows you what the token actually contains — including claim timelines like exp, nbf, and iat. You can also verify the signature locally using an HMAC secret (HS*) or a public key in JWK / JWKS format (RS*/PS*/ES*).
Privacy: Decoding and verification run in your browser. Tokens are not sent to a server by this tool.
If you choose to fetch a JWKS from a URL, that request is made by your browser directly to that URL (and may be blocked by CORS depending on the provider).
Offline Signature Verification
Verify JWT signatures client-side: HS* with a secret, and RS*/PS*/ES* with a public JWK/JWKS. This helps you confirm whether a token was altered or signed by the expected key.
Time Claim Analyzer + Timeline
Automatically parses exp, nbf, and iat into human time, shows “expired / not active yet”, and visualizes the token’s life as a timeline you can quickly understand.
Policy Lint + Compare
Get actionable warnings (like alg=none, missing exp, unusual timelines), and compare two JWTs to see what changed between environments, users, or deployments.
What is a JWT?
A JWT (JSON Web Token) is a compact token format used for authentication and authorization. It typically contains:
- Header: describes the signing algorithm (
alg), type (typ), and often key id (kid). - Payload: claims like user id (
sub), issuer (iss), audience (aud), expiration (exp). - Signature: proves the header + payload were signed by the issuer (HMAC secret or asymmetric private key).
Common JWT errors this tool helps with
- Expired token:
expis in the past. - Not active yet:
nbfis in the future. - Clock skew issues: server time differs from client time.
- Issuer or audience mismatch: token is valid but not intended for your service.
- Signature verification failure: wrong secret/key or token was modified.
- Confusing formats: pasted Bearer headers or JSON responses that contain tokens.
FAQ
No. Decoding just reads Base64URL data. Signature verification is a separate cryptographic check. This page supports verification locally when you provide the correct secret or public key.
Standard JWTs (JWS) are signed, not encrypted — the payload is Base64URL-encoded and can be read. Encrypted tokens are usually JWE (5 parts). This tool detects JWEs and explains the difference.
Many identity providers block browser requests using CORS headers. You can still copy the JWKS JSON and paste it into the tool, which works offline.
You might also like
Free online Base64 Converter. Encode text to Base64 or decode Base64 strings instantly. Secure client-side processing. No ads, no signup required.
Free UUID generator & validator (v1–v8). Generate v4/v7/v6, create name-based v3/v5 UUIDs, inspect versions/variants, decode timestamps, and convert UUIDs to bytes/base64 — client-side.
Free online Hash Generator. Create secure SHA-1, SHA-256, and MD5 hashes from your text. Verify data integrity with this simple tool.