JWT Decoder & Encoder
Decode, encode, and validate JSON Web Tokens
About JWT
JSON Web Tokens are composed of three parts separated by dots (.): Header.Payload.Signature
- Header: Contains the token type and signing algorithm
- Payload: Contains the claims (statements about the user and additional metadata)
- Signature: Ensures the token hasn't been altered
Common claims include:
iss(issuer): Who issued the tokensub(subject): Who the token is aboutaud(audience): Who the token is forexp(expiration): When the token expiresiat(issued at): When the token was issued
How to Use
- 1
Choose decode or encode mode
Select whether you want to decode an existing JWT or create a new one. Decode mode allows inspection and verification, while encode mode lets you generate custom tokens.
- 2
Enter JWT or token data
For decoding: paste your JWT token. For encoding: edit the header and payload JSON, then provide a secret key for signing.
- 3
Verify signatures (decode mode)
Enter the secret key used to sign the token. The tool will verify if the signature is valid using HMAC algorithms (HS256/384/512).
- 4
View or copy results
See decoded header, payload, and signature separately. Check token expiration times and copy individual parts or the complete token.
Frequently Asked Questions
What is a JWT token and how does it work?
What is a JWT token and how does it work?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). The signature ensures the token hasn't been tampered with.
Is it safe to decode JWT tokens in this tool?
Is it safe to decode JWT tokens in this tool?
Yes, all JWT operations run entirely in your browser using JavaScript. No tokens, secret keys, or sensitive data are sent to our servers. The tool uses the Web Crypto API for signature verification. However, never share production secret keys or tokens containing sensitive data publicly.
What's the difference between HS256, HS384, and HS512?
What's the difference between HS256, HS384, and HS512?
These are HMAC-based signing algorithms using SHA-256, SHA-384, and SHA-512 respectively. HS256 is most common and provides adequate security for most applications. HS384 and HS512 offer stronger security with longer signatures but are rarely needed unless you have specific security requirements.
How can I tell if a JWT token has expired?
How can I tell if a JWT token has expired?
Check the "exp" (expiration) claim in the payload. It's a Unix timestamp indicating when the token expires. Our tool automatically highlights expired tokens and shows the expiration date in human-readable format. Also check "iat" (issued at) and "nbf" (not before) for complete token validity.