Is it safe to paste my JWT token here?

Yes — JWT Decoder runs 100% in your browser. Your token is never sent to any server. All decoding happens locally using JavaScript. You can verify this by checking your browser's network tab.

What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token format used for authentication and authorization. It consists of three Base64-encoded parts separated by dots: a header (algorithm & type), a payload (claims like user ID, roles, expiration), and a signature.

Can this tool verify JWT signatures?

Yes! Enter your HMAC secret key in the signature section and the tool will verify whether the signature is valid. It supports HS256, HS384, and HS512 algorithms — all verification happens client-side in your browser.

What claims does the tool detect?

It detects and highlights all registered claims including iss (issuer), sub (subject), aud (audience), exp (expiration), nbf (not before), iat (issued at), and jti (JWT ID). Custom claims are also displayed.

Does this work with expired tokens?

Yes. You can decode any JWT regardless of whether it's expired. The tool will show the expiration status and how long ago it expired or when it will expire.

Free & Private JWT Tool — Like jwt.io

Decode & Inspect
JSON Web Tokens

Paste any JWT to instantly see decoded header, payload, and claims. Check expiration status, interpret registered claims, and also encode & sign tokens with HMAC — all in your browser.

🔐

Encode & Sign

Edit header and payload JSON, choose your algorithm, provide a secret — and get a signed JWT instantly.

🎨

Color-Coded Sections

Header (red), payload (purple), and signature (blue) are color-coded just like jwt.io for easy reading.

✅

Verify Signatures

Enter your HMAC secret to verify JWT signatures client-side. Supports HS256, HS384, and HS512.

Encoded

Enter secret to verify signature

Header

Payload

sub= Subjectname= Nameemail= Emailrole= Roleiat= Issued At(Mon, 10 Mar 2025 09:46:40 GMT)exp= Expiration Time(Tue, 10 Mar 2026 09:46:40 GMT)iss= Issueraud= Audience

Verify Signature

HMAC256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

secret base64 encoded

Frequently Asked Questions

Everything you need to know about JWT Token Decoder.

Decode & InspectJSON Web Tokens