JWT Decoder & Encoder

Decode, inspect, and encode JWT tokens — 100% in your browser. Your tokens never leave your device.

PASTE JWT TOKEN

HEADER

Algorithm

PAYLOAD (JSON)

SECRET KEY

HMAC secret key (base64 or plain text)

How to Use

Select the Decode tab and paste your JWT token into the input box. The token should look like three Base64URL strings separated by dots.

Click Decode JWT. The header, payload, and signature sections will be displayed instantly with color-coded claims.

Review the expiry status — the tool automatically checks exp and iat claims and shows human-readable dates.

To create a JWT, switch to the Encode tab, set your payload JSON and secret key, then click Generate JWT.

Features

🔒

100% Browser-Based

Your JWT tokens are decoded locally — never sent to any server. Safe to use with sensitive tokens.

⏱️

Expiry Checker

Automatically detects exp, iat, and nbf claims and converts them to readable dates with expired/valid badges.

✍️

JWT Encoder

Generate signed JWTs with HMAC-SHA256/384/512 using the Web Crypto API — all locally.

🎨

Color-Coded Output

Header in purple, payload in cyan, signature in green — visually match the standard JWT color convention.

📋

One-Click Copy

Copy the decoded JSON or the generated JWT to clipboard with one click.

📱

Mobile-Friendly

Responsive design works on all screen sizes. Use it on your phone to quickly inspect tokens in the field.

Use Cases

API Debugging

Quickly inspect the claims in a JWT returned from an authentication API to verify user ID, roles, and permissions are correctly set.

Token Expiry Troubleshooting

When users report 401 errors, paste the token to instantly see if it has expired, when it was issued, and when it stops being valid.

Security Auditing

Verify that JWTs use strong algorithms (RS256, ES256) rather than weak ones (none, HS256 with short keys) and that payloads don't contain sensitive data.

Learning & Prototyping

Learn how JWT structure works by creating tokens with different payloads and algorithms. Perfect for teaching JWT concepts in workshops.

OAuth 2.0 / OIDC Testing

Inspect ID tokens and access tokens from OAuth 2.0 and OpenID Connect flows to verify claims like sub, iss, aud, and scope.

FAQ

Is it safe to paste my JWT token here?

Yes. All decoding happens entirely in your browser using JavaScript. Your JWT token is never sent to any server. The tool works offline once the page is loaded.

What is a JWT token?

A JSON Web Token (JWT) is a compact, URL-safe way of representing claims between two parties. It consists of three Base64URL-encoded parts separated by dots: a header (algorithm type), a payload (claims/data), and a signature.

Can this tool verify JWT signatures?

This tool displays the signature portion and the algorithm used, but full cryptographic signature verification requires a secret key which you should never share in a browser tool.

What does 'exp' mean in JWT payload?

The 'exp' (expiration time) claim identifies when the JWT must not be accepted. It is a Unix timestamp (seconds since Jan 1, 1970 UTC). This tool automatically shows the human-readable date and whether the token is expired.

How do I create (encode) a JWT?

Use the Encoder tab: fill in the header algorithm and payload claims, then enter a secret key. The tool generates a signed JWT using HMAC-SHA256 via the Web Crypto API — all locally in your browser.

What JWT algorithms are supported for decoding?

All standard JWT algorithms can be decoded since the header and payload are just Base64URL encoded JSON — HS256, RS256, ES256, PS256, and more.

How to Use

Features

Use Cases

API Debugging

Token Expiry Troubleshooting

Security Auditing

Learning & Prototyping

OAuth 2.0 / OIDC Testing

FAQ

Share This Tool

📄 Document

🖼️ Image

🔊 Audio

🎬 Video

📝 Text

🔄 Data Format

🔢 Calc / Finance