A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm and token type), a payload (claims like user ID, roles, expiry), and a signature to verify the token hasn't been tampered with.
How to use this tool
Paste any JWT — it decodes instantly as you type
The colored preview shows header, payload, and signature sections
Standard claims like exp, iat, nbf are shown with human-readable times
Token expiry is checked automatically against the current time
Enter your HMAC secret to verify the signature locally
Frequently Asked Questions
Is it safe to paste my JWT here?+
Yes — this tool runs entirely in your browser. Your token is never sent to any server. That said, treat JWTs like passwords: avoid pasting production tokens with sensitive user data into any online tool unless you absolutely need to. Use test tokens when possible.
What do the standard JWT claims mean?+
sub (subject) — who the token refers to. iss (issuer) — who created it. aud (audience) — who it's intended for. exp (expiry) — when it expires. iat (issued at) — when it was created. nbf (not before) — earliest valid time.
Why can't you verify RS256 or ES256 tokens?+
Asymmetric algorithms like RS256 and ES256 require a public key for verification — these are typically long PEM-encoded strings. This tool focuses on HMAC (HS256/HS384/HS512) verification with a simple secret. For asymmetric verification, you need the corresponding public key from your auth provider.
Can I decode a JWT without the secret?+
Yes. The header and payload of a JWT are just Base64URL-encoded — anyone can decode and read them without knowing the secret. The secret is only needed to verify the signature (proving the token hasn't been tampered with). Never put sensitive data in a JWT payload assuming it's private.
What does "token expired" mean?+
The exp claim is a Unix timestamp. When the current time passes that timestamp, the token is considered expired and should be rejected by your server. Most auth systems issue short-lived tokens (15 min to 1 hour) and use refresh tokens to get new ones.