JWT Decoder & Validator

Decode a JSON Web Token to read its header and payload, see human-readable expiry and issued-at times, and verify the HS256/384/512 signature with your secret — all in your browser.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "ScoutMyTool",
  "iat": 1516239022
}
Issued at: Thu, 18 Jan 2018 01:30:22 GMT

About this tool

A JSON Web Token (JWT) is three base64url-encoded parts joined by dots: a header describing the signing algorithm, a payload of claims, and a signature. This tool splits and decodes the header and payload into readable JSON, translates the standard time claims (iat, nbf, exp) into human-readable UTC and flags expired tokens, and — for the symmetric HS256, HS384, and HS512 algorithms — verifies the signature against a secret you provide using the browser's Web Crypto API. Decoding a JWT does not require the secret and reveals everything in the payload, which is the key security lesson: never put confidential data in a JWT, because anyone holding the token can read it. Verification, by contrast, proves the token was issued by someone who knows the secret and has not been altered. Asymmetric algorithms (RS/ES/PS), which verify with a public key rather than a shared secret, are decoded but not signature-checked here. Nothing you paste leaves your browser.

How to use it

  • Paste a JWT into the token box.
  • Read the decoded header and payload, plus the issued/expiry times.
  • To check the signature, enter the shared secret for an HS256/384/512 token.
  • A green check means the signature matches; red means it does not.

Frequently asked questions

Is it safe to paste a JWT here?
Yes — all decoding and verification happen locally in your browser with no network calls. That said, treat any token as a live credential: anyone who has it can use it until it expires, regardless of where it is decoded.
Why can I read the payload without the secret?
A JWT is only encoded, not encrypted. The base64url payload is trivially decodable by anyone. The signature does not hide the contents; it only proves they were not tampered with. Never store passwords or secrets inside a JWT payload.
Which algorithms can this tool verify?
The symmetric HMAC family — HS256, HS384, and HS512 — using the shared secret you enter. Asymmetric algorithms (RS256, ES256, PS256, etc.) are signed with a private key and verified with a public key/certificate, which this in-browser tool decodes but does not signature-check.
What do iat, nbf, and exp mean?
They are registered time claims, expressed as Unix seconds: iat is when the token was issued, nbf is the earliest time it is valid ("not before"), and exp is when it expires. The tool converts each to a readable UTC time and marks the token expired when exp is in the past.
My signature shows invalid but the token works — why?
The most common cause is a wrong or differently-encoded secret (for example a base64-encoded secret entered as raw text, or trailing whitespace). The signature is computed over the exact header.payload bytes, so even a one-character secret difference fails. Confirm the algorithm and the exact secret your issuer uses.
Does decoding verify that a token is valid?
No. Decoding only reveals the contents. A token is only trustworthy if its signature verifies against the correct secret/key AND the current time is within its nbf/exp window. Check both before relying on a token.

Related tools