Decode, verify, and generate JWT tokens online. Inspect payload claims, verify HMAC SHA256 signatures, and create signed tokens — all locally in your browser.
Loading your experience...
Please wait a moment
This utility is a high-performance node optimized for modern browser environments. All data processing is executed client-side, ensuring zero knowledge transfer to external servers.
Paste your JWT token into the decoder. The tool automatically splits it into header, payload, and signature, displaying each section as formatted JSON. No secret key is needed just to decode the payload.
Yes. Enter your HMAC secret key and the tool verifies the signature locally using the CryptoJS library running in your browser. Your token and secret never leave your device.
Common JWT claims include: sub (user ID), exp (expiration timestamp), iat (issued at), iss (issuer), aud (audience), and custom application claims like roles or permissions.
Decode the token and look at the exp claim — it's a Unix timestamp. The tool automatically checks this against the current time and tells you if the token is expired, valid, or about to expire.
Generally yes, with this tool — because it runs locally in your browser. Never paste JWTs containing sensitive data into online tools that send data to their servers. This tool is safe because nothing is transmitted.
This tool uses HMAC SHA256 (HS256), the most common JWT signing algorithm. It uses a shared secret key for both signing and verification. For RS256 (asymmetric), a different tool with RSA key support is needed.