🛡️ Security Tool
JWT Decoder
Decode, inspect and verify JSON Web Tokens instantly.
🔒 100% client-side — your token never leaves your browser
🔑 Paste your JWT
Paste a JWT above — header, payload and claims are decoded instantly as you type.
JWT Algorithm Reference
| Algorithm | Family | Type | Key | Use Case |
|---|---|---|---|---|
| HS256 | HMAC-SHA256 | Symmetric | Shared secret | Single-server apps, APIs |
| HS384 | HMAC-SHA384 | Symmetric | Shared secret | Higher-security HMAC |
| HS512 | HMAC-SHA512 | Symmetric | Shared secret | Maximum HMAC security |
| RS256 | RSA-SHA256 | Asymmetric | RSA key pair | OAuth2, OIDC, microservices |
| RS384 | RSA-SHA384 | Asymmetric | RSA key pair | Higher-security RSA |
| RS512 | RSA-SHA512 | Asymmetric | RSA key pair | Maximum RSA security |
| ES256 | ECDSA P-256 | Asymmetric | EC key pair | Mobile, IoT, compact tokens |
| ES384 | ECDSA P-384 | Asymmetric | EC key pair | High-security EC |
| ES512 | ECDSA P-521 | Asymmetric | EC key pair | Maximum EC security |
| PS256 | RSASSA-PSS | Asymmetric | RSA key pair | FIPS-compliant systems |
| none | — | — | None | ⚠️ Unsecured — dev only |
Features
⚡
Instant Decode
Header and payload decoded as you type — no button click needed.
🔒
100% Client-Side
Your token is decoded in the browser and never sent to any server.
⏱️
Expiry Detection
Automatically detects and highlights expired, active and not-yet-valid tokens.
🔐
Signature Verify
Verify HS256/384/512 signatures with your secret key, right in the browser.
🎨
Colour-Coded Parts
Header, payload and signature highlighted in different colours for clarity.
🆓
100% Free
No account, no limits, no watermarks — free forever.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. This tool decodes entirely in your browser using JavaScript. Your token is never sent to any server — you can verify this by opening the browser's Network tab while using the tool. However, you should still avoid sharing JWTs in screenshots or with untrusted parties, as they can grant access to protected resources.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe format for representing claims between parties. It has three Base64URL-encoded parts separated by dots: a header (algorithm & type), a payload (claims/data), and a signature (integrity proof). JWTs are widely used for authentication and authorisation in APIs and web apps.
Can this tool verify the signature?
For HS256, HS384 and HS512 tokens you can enter your secret key and the tool will verify the signature client-side using the Web Crypto API. For RS256/ES256 (asymmetric) tokens the tool shows the signature bytes but cannot verify without the public key in PEM format — paste the PEM key and it will attempt verification.
What do exp, iat and nbf mean?
These are registered JWT claim names. exp (Expiration Time) is the Unix timestamp after which the token must be rejected. iat (Issued At) is when the token was created. nbf (Not Before) is the earliest time the token should be accepted. The tool automatically converts these Unix timestamps to human-readable dates.
What is the difference between HS256 and RS256?
HS256 uses a single shared secret for both signing and verifying (symmetric). RS256 uses a private key to sign and a separate public key to verify (asymmetric). RS256 is preferred in distributed systems where the verifier should be able to check tokens but not create new ones — for example, multiple microservices trusting an auth server.
Why is "alg: none" dangerous?
If a server accepts tokens with "alg: none" it means no signature is required, allowing an attacker to forge any token by simply crafting the header and payload without signing. Always reject tokens with alg: none in production.