JWT Decoder

Decode and verify JSON Web Tokens securely in your browser.

Header
Payload
Signature

What is this JWT decoder?

This free JWT decoder splits a JSON Web Token into its header, payload and signature and decodes the claims in your browser, so you can inspect — or even verify — tokens without sending them to any server.

How do I decode a JWT safely without leaking the token?

Paste the JWT and it instantly decodes the header and payload and shows each claim. Because decoding happens locally in your browser, the token — including production secrets — never leaves your device.

Key features

Header, payload & signature
Cleanly separates and decodes all three Base64URL segments of the token.
Claim analysis
Highlights standard claims such as issuer, subject, audience, issued-at and expiry, and flags expired tokens.
Optional HS256 verification
Enter your HMAC secret to verify HS256, HS384 or HS512 signatures locally.
Zero transmission
Tokens are decoded entirely client-side — safe to use even with live production credentials.

How to use it

Paste your JWT into the input. The decoder immediately shows the header and payload and analyses each claim, marking the token expired or not-yet-valid where relevant. To check integrity, enter the HMAC secret and verify the signature — all without a single network request.

Frequently asked questions

Is it safe to paste a production JWT here?

Yes. Decoding and verification run entirely in your browser, so the token and any secret you enter are never transmitted or stored.

Can it verify the signature?

Yes, for HMAC algorithms (HS256/384/512) — enter the shared secret and the tool confirms whether the signature is valid.

Why does it say my token is expired?

The decoder compares the token's exp claim to the current time; a past exp means the token is no longer valid.

Toolbox decodes tokens per the JWT standard (RFC 7519) and uses the browser's Web Crypto API for signature checks, so results match how your authentication server validates the same token.