Online JWT Decoder & Verifier

About JSON Web Tokens (JWT)

JSON Web Tokens are an open, industry standard RFC 7519 method for representing claims securely between two parties. JWTs consist of three parts separated by dots (.): Header, Payload, and Signature.

• Header: Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used (e.g., HMAC SHA256 or RSA).
• Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
• Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

How This Tool Works:

• Paste JWT: Enter the full encoded JWT string into the designated textarea.
• Provide Secret (Optional): If you want to verify the token's signature (for HMAC algorithms like HS256, HS384, HS512), enter the secret key. This is done client-side and your secret is not transmitted. For RSA/ECDSA, verification would typically require the public key. This tool currently supports HMAC verification.
• Decode/Verify: Click the button. The tool will parse the JWT into its Header, Payload, and Signature components.
• View Decoded Data: The Header and Payload will be displayed as formatted JSON. Common timestamp claims in the payload (like iat, exp, nbf) will be converted to human-readable dates.
• Signature Status: If a secret is provided, the tool will attempt to verify the signature and display whether it is valid or invalid.

Security Note: While this tool performs decoding and verification client-side in your browser, always be cautious about where you paste sensitive JWTs, especially if they contain private information. The secret key you provide for verification is not sent over the network by this tool.