JWT Decoder & Encoder
Decode, encode, and verify JWT tokens. Analyze payload claims and validate signatures — all processing happens in your browser.
Paste a token or load the sample to inspect its structure.
Decoded
Header
Metadata such as the algorithm and token type.
Payload
Edit claims and timestamp values.
Signature
Enter a key to verify the signature or create a new token.
HMACHS256
About JWT Decoder & Encoder
The JWT Decoder & Encoder is a free, browser-based tool that decodes, verifies, and signs JSON Web Tokens. All decoding, verification, and signing run entirely in your browser, so your tokens and keys are never sent to a server.
It is built for developers debugging authentication flows. Paste a token to read its header and payload, inspect each claim, and see time claims like exp, iat, and nbf rendered as readable dates with relative time and an expired flag.
Enter a secret or public key to verify a signature, or edit the header and payload, supply a signing key, and generate a new token. It supports HMAC (HS256/384/512), RSA (RS and PS), ECDSA (ES), and EdDSA, using the Web Crypto-based jose library in the browser.
Decoding is not the same as verifying a signature, so an unverified token only shows what it claims, not that it is trustworthy. Paste production tokens or private keys only when you need to, and review sensitive claims before sharing any output.
Frequently asked questions
- Are my tokens or keys sent to a server?
- No. Decoding, signature verification, and signing all happen locally in your browser, and your token and keys are never transmitted.
- Which signing algorithms does it support?
- It supports HMAC (HS256, HS384, HS512), RSA (RS256/384/512 and PS256/384/512), ECDSA (ES256/384/512), and EdDSA.
- Does decoding a JWT mean it is valid?
- No. Decoding only reveals the header and payload. To confirm a token is genuine you must verify its signature with the correct secret or public key.