Does any token I paste get uploaded?

No. Decoding and verification run fully in your browser. Nothing is sent to any server.

Which algorithms can I verify?

HS256 (HMAC SHA-256) using a secret and RS256 (RSA PKCS#1 v1.5 SHA-256) using a PEM public key. Other algorithms will display as not supported for verification.

Can I decode tokens with the “none” algorithm?

Yes—decoding works for any three-part token. Verification will warn that 'none' provides no cryptographic integrity.

JWT Decoder

Decode and verify JSON Web Tokens locally. Private by design—everything runs in your browser.

JWT Input

0 chars

Tip: Press Ctrl/Cmd + Enter to decode. You can also drop a .jwt/.txt file.

Verification (optional)

Algorithm (detected):

HMAC Secret (HS256):

RSA Public Key (RS256):

Decoded

Header

Payload

Signature

About this tool

This JWT decoder helps you read and understand JSON Web Tokens without sending them anywhere. Paste a token and the tool instantly splits it into the header, payload, and signature so you can see what is inside. It is useful when debugging authentication issues, inspecting access tokens, or verifying claims during development.

A JWT is a compact string made of three parts separated by dots. The header describes the signing algorithm, the payload contains claims such as user IDs or roles, and the signature proves the token has not been altered. The first two sections are Base64URL-encoded JSON, which means they are readable and not encrypted. This decoder simply converts that data back into readable JSON and formats it so it is easy to scan.

To use the tool, paste your JWT into the input box. The header and payload appear immediately, and the signature is listed as a separate block. If you want to verify the signature, select the algorithm and provide the secret or public key. The verifier recreates the signing input and checks it locally using your browser, so your token never leaves your device.

This page supports HS256 (HMAC with a shared secret) and RS256 (RSA public key verification). Other algorithms will still decode, but verification is marked as unsupported. Time-based claims such as exp, nbf, and iat are displayed with friendly status indicators so you can tell if a token is expired, not yet valid, or currently active.

Common use cases include checking login tokens in a web app, reviewing OAuth access tokens during API testing, troubleshooting “invalid token” errors, and confirming what permissions a token actually carries. Whether you need a JWT reader, a JSON Web Token decoder, or a quick way to inspect claims, this tool provides a safe, client-side option for fast analysis.

For sensitive tokens, you can save this page and run it offline. No network requests are made after the page loads, keeping your token data private.

5 Fun Facts about JWTs

Base64url ≠ encryption

A JWT’s header and payload are just base64url text—anyone can read them. Only the signature proves integrity.

Plain sight

Header is part of the signature

Change alg or kid and the signature breaks. The header is signed along with the payload.

Tied together

“None” was once allowed

The infamous "alg":"none" tokens skipped signatures. Modern libraries reject them, but decoders still reveal the claim.

Legacy quirk

Key hints ride in `kid`

A kid (key ID) header tells servers which public key to try. Without it, verifiers may brute-try every key they have.

Key roulette

Clock skew matters

Claims like exp and nbf usually get a few seconds of leeway. A fast/slow laptop clock can flip a token from valid to expired.

Time wobble