Does any token I paste get uploaded?

No. Decoding and verification run fully in your browser. Nothing is sent to any server.

Which algorithms can I verify?

HS256 (HMAC SHA-256) using a secret and RS256 (RSA PKCS#1 v1.5 SHA-256) using a PEM public key. Other algorithms will display as not supported for verification.

Can I decode tokens with the “none” algorithm?

Yes—decoding works for any three-part token. Verification will warn that 'none' provides no cryptographic integrity.

JWT Decoder

Decode and verify JSON Web Tokens locally. Private by design—everything runs in your browser.

JWT Input

0 chars

Tip: Press Ctrl/Cmd + Enter to decode. You can also drop a .jwt/.txt file.

Verification (optional)

Algorithm (detected):

HMAC Secret (HS256):

RSA Public Key (RS256):

Decoded

Header

Payload

Signature

About this tool

This decoder splits your JWT into header, payload, and signature. It Base64URL-decodes the first two parts and pretty-prints the JSON. Verification (optional) recreates the signing input (header.payload) and checks the signature locally using the Web Crypto API.

Verification support

HS256 (HMAC SHA-256) with a secret string.
RS256 (RSA PKCS#1 v1.5 + SHA-256) with a PEM public key (BEGIN PUBLIC KEY or BEGIN RSA PUBLIC KEY).
Other algorithms will decode fine but show as “not supported” for verification.

Time claim helpers

If present, exp, nbf, and iat are interpreted as UNIX seconds and summarized with status chips (valid/expired/not yet valid).

Privacy

100% client-side. No network requests are made after page load. For sensitive tokens, prefer using this page offline (File → Save As) or the offline bundle.