JWT Decoder

Decode JWT tokens to view header and payload data

Choose a Tool

JWT Token

Secret Key (Optional - for signature verification)

🔓 JWT Decoder

Decode JWT tokens to view header and payload. Optionally verify the signature with a secret key. All processing happens locally in your browser - no data is sent to any server.

How to use the JWT tools

Four tools for every JWT task — decode, generate, verify, and create signing secrets.

01
Choose a tool
Select Decoder to inspect a token, Generator to create one, Verifier to validate a signature, or Secret Generator to create a signing key.
02
Paste your token or fill in the fields
For the decoder and verifier, paste an existing JWT. For the generator, fill in the header and payload fields.
03
Copy the result
Copy the decoded payload, generated token, verification result, or signing secret.

Where JWT tools actually get used

Reading a token from the Network tab

Copy the Authorization header value from your browser's Network tab, paste it into the decoder, and see exactly what claims are inside — expiry, user ID, roles, whatever your app puts there.

Testing how your API handles different claims

Generate a token with a specific exp, sub, or custom claim to test edge cases — expired tokens, missing roles, wrong issuer — without touching your auth server.

Confirming a token wasn't tampered with

Paste the token and your signing secret into the verifier. If the signature doesn't match, the token was modified after it was issued.

Creating a signing secret for a new project

The secret generator produces a cryptographically random string suitable for HMAC-SHA256 signing. Don't use a human-readable password as a JWT secret.

Onboarding a developer to your auth system

Decode a real token from your app and walk through the header, payload, and signature. Faster than reading documentation.

Frequently asked questions

Free, no account, no limits.

Nothing leaves your browser. All JWT operations run locally in JavaScript.

A JSON Web Token (JWT) is a compact, URL-safe token format used to securely transmit information between parties. It consists of a header, payload, and signature separated by dots.

The token is processed only in your browser and never sent anywhere. However, as a best practice, avoid pasting tokens with sensitive claims in any online tool.

HS256, HS384, and HS512 (HMAC with SHA). RS256 and other asymmetric algorithms are not currently supported.

Yes, in any modern mobile browser.

Related developer tools

Hash Generator

Generate SHA-256, SHA-512, MD5 hashes of any text.

Password Generator

Cryptographically random passwords with custom rules.

UUID Generator

Cryptographically random UUID v4 identifiers.

Base64 Encoder / Decoder

Encode or decode Base64 strings in your browser.

Report an Issue

Found a problem with Jwt? Let us know.

Your feedback helps us improve.

Please wait while we prepare your experience