JWT Decoder: read and verify JSON Web Tokens
A short guide to JWTs — how they're structured, how to read the claims, the difference between decoding and verifying, and why it's safe to do locally.
Open the JWT Decoder →What this tool does
The JWT Decoder splits a token into its three parts, Base64URL-decodes the header and payload into readable JSON, translates the time claims into dates, flags expiry, and can verify an HS256 signature if you supply the secret — all in your browser.
How a JWT is structured
A JWT is three Base64URL sections joined by dots: header.payload.signature.
The header names the algorithm (e.g. HS256), the payload holds the claims, and the
signature is computed over the first two parts with a secret or private key.
Decoding vs verifying
Decoding just reveals the header and payload — anyone can do it, so the payload is not secret. Verifying recomputes the signature with the secret (or key) to prove the token is authentic and unmodified. This tool decodes any token and can verify HS256 tokens with a shared secret.
Common claims
ississuer,subsubject,audaudience.iatissued-at,nbfnot-before,expexpiry — shown as dates, with an expiry warning.
Privacy
Tokens often grant access, so a server-side decoder is a real risk. Here, decoding and verification run entirely in your browser via the Web Crypto API — nothing is uploaded.
FAQ
Is decoding the same as verifying?
No — decoding reads the token; verifying checks the signature with the secret.
Is my token sent anywhere?
No — it all runs locally in your browser.
Should I paste production tokens?
It's local and safe, but treat real tokens with care on shared machines.
Ready to try it? Open the JWT Decoder →