JWT Decoder
ENPT
Back to Tools

JWT Decoder

Decode and inspect JSON Web Tokens instantly — view header, payload, verify HMAC signatures, and generate JWT code in PHP, JavaScript, Python, and Java.

ENCODED
DECODED

Paste a JWT token on the left to decode it

GENERATE JWT CODE
Language
Algorithm
javascript 
 1const jwt = require('jsonwebtoken');
 2
 3const secretKey = 'your-256-bit-secret';
 4
 5const payload = {
 6  sub: '1234567890',
 7  name: 'John Doe',
 8  iat: Math.floor(Date.now() / 1000)
 9};
10
11const token = jwt.sign(payload, secretKey, { algorithm: 'HS256' });
12console.log(token);
13
14// To verify:
15const decoded = jwt.verify(token, secretKey, { algorithms: ['HS256'] });
16console.log(decoded);

Paste any JSON Web Token and instantly decode the header, payload, and signature with this free JWT decoder online — no server, no account, everything runs in your browser using the native Web Crypto API. Timestamp fields like exp, iat, and nbf are automatically converted to human-readable dates so you can tell at a glance whether a token has expired.

Beyond basic decoding, the tool verifies HMAC signatures (HS256, HS384, HS512) in-browser and generates ready-to-use JWT signing code for JavaScript, PHP, Python, and Java — making it a complete JWT debugger and development utility.

How to Use the JWT Decoder

  1. Paste your JWT into the input field — click Paste from Clipboard or type the encoded token. The tool color-codes the three dot-separated parts (header, payload, signature) for visual clarity.
  2. Inspect the decoded data — the header shows the algorithm and token type; the payload displays all claims with timestamps rendered as dates.
  3. Verify the signature — for HMAC tokens (HS256, HS384, HS512), enter your secret key in the verification panel. Toggle "Base64 Encoded" if the secret is stored as Base64.
  4. Generate code — use the code generator tab to get a copy-ready snippet for signing JWTs in your preferred language and algorithm.

What Is a JSON Web Token?

A JSON Web Token (JWT) is a compact, URL-safe format for securely transmitting claims between parties. Defined in RFC 7519, every JWT has three Base64URL-encoded sections separated by dots:

  • Header — declares the token type (JWT) and signing algorithm (HS256, RS256, etc.)
  • Payload — contains the claims: user ID, roles, permissions, expiry time, and any custom data
  • Signature — a cryptographic hash of the header and payload, signed with a secret or private key, which guarantees the token has not been modified

JWTs are the standard credential format in REST APIs, OAuth 2.0 authorization flows, and OpenID Connect identity tokens.

Supported Algorithms

Algorithm Family Description
HS256 HMAC HMAC with SHA-256 — symmetric, widely used
HS384 HMAC HMAC with SHA-384
HS512 HMAC HMAC with SHA-512 — strongest symmetric option
RS256 RSA RSASSA-PKCS1-v1_5 with SHA-256 — asymmetric
RS384 RSA RSASSA-PKCS1-v1_5 with SHA-384
RS512 RSA RSASSA-PKCS1-v1_5 with SHA-512

Common Use Cases

  • Authentication debugging: When an API returns a 401 or your frontend gets an "invalid token" error, paste the JWT here to check the exp claim (has it expired?), the aud claim (does it match the expected audience?), and the algorithm before writing any code.
  • Security audits: JWTs are Base64-encoded, not encrypted — the payload is readable by anyone. Paste tokens from your system here to confirm no sensitive data (passwords, PII, internal keys) is accidentally leaking through claims.
  • Development and integration testing: Verify that your backend issues tokens with the correct claims, correct TTL (exp minus iat), and the right algorithm before writing integration tests against the auth flow.
  • Signature verification: Enter your HMAC secret to confirm that a token was signed with the key you expect — useful when debugging token mismatches between services that share a secret.
  • Learning JWT structure: The color-coded split view and human-readable claim display make this tool ideal for understanding how JWTs work without reading the RFC.
  • Code generation: The built-in code generator produces copy-ready JWT signing snippets so you don't have to look up the right library methods and claim format for each language.

Frequently Asked Questions

Why is the JWT payload visible without any key?

The payload is only Base64URL-encoded, not encrypted. Anyone who has the token string can decode and read the payload without any key. The signature only proves the token was issued by someone with the correct secret — it does not hide the contents. Never store sensitive data in a JWT payload unless you use JSON Web Encryption (JWE).

What is the difference between HS256 and RS256?

HS256 is a symmetric algorithm: the same secret key is used both to sign the token and to verify it. RS256 is asymmetric: a private key signs the token, and a different (public) key verifies it. RS256 is preferred in distributed systems where multiple services need to verify tokens without ever receiving the signing secret. HS256 is simpler and faster, making it suitable for single-service or trusted-service scenarios.

How do I check if a JWT token has expired?

Paste the token here — the exp (expiration) claim is automatically rendered as a human-readable date and compared against the current time. If the token is expired, you'll see the expiry timestamp displayed clearly. The exp value itself is a Unix timestamp in seconds (e.g., 1740000000 = March 2025).

Can this tool verify RS256 or RS512 tokens?

Full signature verification in the browser is currently supported for HMAC-based algorithms (HS256, HS384, HS512). For RSA algorithms (RS256, RS384, RS512), the tool decodes and displays the token, but verifying the signature requires a public key — that operation is better performed in your backend using a JWT library.

Is my JWT token or secret sent to any server?

No. All decoding and verification happens entirely in your browser using JavaScript and the Web Crypto API. Your tokens, secrets, and payload data never leave your device. The tool also functions fully offline once the page is loaded.

Related Tools