Free tool · Runs in your browser

JWT Decoder & Verifier

Decode a JSON Web Token to read its header and payload, see every claim in plain English with expiry times, and verify the signature against a secret or public key - HS256, RS256, ES256, and PS256. Everything runs in your browser; nothing is uploaded.

Decoding and verification run entirely in your browser - your token and secret are never uploaded. Safe for real access tokens.

Try:
Encoded token
Header, payload, and claims appear here as you type.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to carry a set of claims - facts about a user or client - between two parties. It is the format behind most modern authentication: after you log in, the server hands your browser or app a signed JWT, and every following request presents that token so the API knows who you are without a database lookup.

A JWT is three Base64URL strings joined by dots: header.payload.signature. The first two are just JSON that anyone can read - this tool decodes them instantly. The third is a cryptographic signature that proves the token has not been tampered with.

The three parts: header, payload, signature

  • Header - JSON describing how the token is signed. The key field is alg (the algorithm, e.g. HS256 or RS256); kid names which key to use.
  • Payload - JSON holding the claims: registered ones like sub, exp, and iss, plus any custom fields your app adds (roles, scopes, tenant IDs).
  • Signature - the header and payload run through the signing algorithm with a key. Change a single byte of the header or payload and the signature no longer matches.

Because the header and payload are only encoded, not encrypted, decoding a JWT never needs a key or password. Verifying it does.

How JWT signature verification works

The signature is computed over the exact string base64url(header) + "." + base64url(payload). To verify a token you recompute or check that signature and confirm it matches - which also proves the token was issued by whoever holds the key and has not been altered.

How you check it depends on the algorithm family:

  • HMAC (HS256/384/512) uses one shared secret for both signing and verifying. Paste that secret to verify.
  • RSA and ECDSA (RS/PS/ES) use a key pair: the issuer signs with a private key, and you verify with the matching public key (or a JWK / certificate). You never need the private key to verify.

This tool performs the check with the browser's native Web Crypto API, so your secret or key never leaves the page.

JWTs are signed, not encrypted

This is the most important and most misunderstood point: a standard JWT provides integrity, not confidentiality. The payload is Base64URL, which anyone who intercepts the token can decode in one step - exactly what this tool does. The signature stops them from changing it, but it does nothing to hide it.

So never put secrets in a payload: no passwords, no card numbers, no private personal data. If the contents truly must be hidden, you need an encrypted token (JWE), which is a different format. For an ordinary signed JWT, treat the payload as public.

HS256 vs RS256: which should you use?

The two most common algorithms answer one question differently: who is allowed to create tokens?

HS256 (HMAC)RS256 (RSA)
Key modelOne shared secretPrivate key signs, public key verifies
Who can signAnyone with the secretOnly the private-key holder
Who can verifyAnyone with the secretAnyone with the public key
Best forA single service verifying its own tokensMany services / clients verifying one issuer

Use HS256 when the same service both issues and checks the token. Use RS256 (or ES256) when tokens are issued centrally and verified elsewhere, so verifiers only ever hold the public key and can never mint their own tokens.

Common JWT mistakes (and alg: none)

  • Accepting alg: none- a token can declare it is unsigned. A verifier that trusts the header's alg blindly will accept a forged, unsigned token. Always pin the expected algorithm on the server.
  • The algorithm-confusion attack - if a server verifies with a public key but does not pin the algorithm, an attacker can re-sign a token as HS256 using that public key as the HMAC secret. Pin the alg.
  • Not checking exp - decoding a token is not validating it. A correct server must reject expired tokens and check nbf, aud, and iss too.
  • Trusting a decoded payload - reading claims without verifying the signature means trusting data anyone could have edited. Verify first, then trust.

Registered JWT claims

ClaimNameWhat it means
issIssuerWho issued the token, usually the auth server or app URL.
subSubjectWho the token is about - typically the user or client ID.
audAudienceWho the token is for. Your API should reject a token whose audience is not itself.
expExpirationThe token must be rejected on or after this Unix time.
nbfNot beforeThe token is not valid until this Unix time.
iatIssued atWhen the token was created.
jtiJWT IDA unique identifier used to prevent the token being replayed.
JWT FAQ

Frequently asked questions

Yes. Decoding and signature verification run entirely in your browser using the Web Crypto API - the token, the secret, and any key you paste are never sent to a server or logged. That said, treat real access tokens carefully anywhere, and prefer expired or test tokens when you can.
Yes. The header and payload of a JWT are only Base64URL-encoded, not encrypted, so they can always be decoded without any key. You only need a secret or public key to verify the signature - that is, to prove the token is authentic and unmodified.
Paste the token, then provide the key that matches its algorithm. For HS256/384/512 that is the shared secret. For RS256, PS256, or ES256 it is the issuer's public key, which you can paste as a PEM public key, a JWK, or an X.509 certificate. The tool shows VALID or INVALID as soon as the key is entered.
The exp claim is a Unix timestamp; once the current time passes it, a correct server will reject the token even if the signature is still valid. This tool decodes exp, iat, and nbf into readable local and UTC times and shows a red badge with how long ago the token expired.
No. A standard JWT (a JWS) is signed, not encrypted. The signature guarantees the contents were not changed, but the payload is fully readable by anyone who has the token. Never store passwords or sensitive data in a JWT payload. If you need the contents hidden, use an encrypted JWE instead.
HS256 uses a single shared secret to both sign and verify, so anyone who can verify can also create tokens. RS256 uses a key pair: the issuer signs with a private key and everyone else verifies with the public key, so verifiers can never mint their own tokens. Use HS256 for a single self-contained service and RS256 when tokens are issued centrally and verified in many places.
alg: none is a JWT that declares it has no signature. If a server trusts the algorithm named in the token header, an attacker can strip the signature, set alg to none, and forge any claims they like. This tool flags alg: none as a critical warning. Servers should always pin the expected algorithm rather than read it from the token.
All the common JWS algorithms: HS256/384/512 (HMAC), RS256/384/512 (RSA PKCS#1 v1.5), PS256/384/512 (RSA-PSS), and ES256/384/512 (ECDSA). Verification uses the browser Web Crypto API, so no data leaves your machine.
Stop pasting tokens into web tools

Keep secrets on your own machine.

This tool runs entirely in your browser - your tokens and keys are never uploaded. CtrlOps takes the same local-first approach to real credentials: SSH keys and server secrets stay encrypted on your device, never synced to a cloud.

Start instantly· No credit card· No sneaky autorenewals