JWT Decoder
Decode a JSON Web Token's header, payload, and claims — and optionally verify its signature. Token and keys never leave your browser.
Decoded entirely in your browser — nothing is sent to the server.
Verification runs locally via Web Crypto. Your key is never transmitted or stored.
A signed, base64url-encoded JSON token — header, payload, signature.
A JSON Web Token is three base64url-encoded parts joined by dots: a header (the signing algorithm and token type), a payload (the claims — who issued it, who it's for, when it expires), and a signature over the first two parts. Decoding is just base64 — anyone can read a JWT's contents, so never put secrets in the payload.
The signature is what makes a JWT trustworthy: only someone with the signing key can produce a valid one. This tool verifies HS256 (shared secret), RS256, and ES256 (public key) entirely in your browser via the Web Crypto API — the token and key never touch our server. exp, iat, and nbf claims are shown as human-readable dates with expiry status.