Decode JSON Web Tokens and verify their signatures (HS256, RS256, ES256, EdDSA) entirely in your browser using the Web Crypto API.

JWT token

Header

Paste a token above to decode.

Payload

Paste a token above to decode.

Claims summary

Paste a token above to decode.

Secret or public key

Signature verification

Paste a secret or public key to verify.

How It Works

Paste a JSON Web Token into the input — the tool instantly splits it into its three Base64URL-encoded parts (header, payload, signature), decodes the first two to JSON, and pretty-prints them with syntax highlighting. Standard claims like iat, nbf, exp, iss, sub, and aud are rendered as human-readable dates or labels where appropriate so you can spot expired or not-yet-valid tokens at a glance. To verify the signature, paste the signing secret (for HS256/HS384/HS512) or the public key in PEM or JWK format (for RS256, ES256, ES384, ES512, or EdDSA). The tool uses the browser's Web Crypto API to recompute the signature over header.payload and compare it against the signature segment in constant time — a green badge means the token is authentic, a red badge means the signature is invalid or the wrong key was used. Everything runs locally: the token, the secret, and the key never leave your browser, which is why most online JWT tools refuse to verify signatures at all.

Use Cases

Debugging authentication bugs in a web or mobile app by inspecting exactly what claims a token contains

Verifying that an expired or tampered token is correctly rejected by your authorization logic

Checking that your identity provider is signing tokens with the right key and algorithm

Teaching JWT structure, claims, and common mistakes (alg none, key confusion, missing exp) with a real example

Quickly triaging a production incident where a token is being rejected by a downstream service