JWT Decode

Inspect JWT header & payload.

A free JWT decoder that splits and pretty-prints the header and payload, shows live expiry, and can optionally verify an HS256 signature with your secret. It all runs locally — your token is never uploaded.

How to use

  1. Paste a full JWT (header.payload.signature) into the box.
  2. Read the decoded header, payload, and the Valid / Expired tag with a live expiry countdown.
  3. To verify, enter your key in the secret field and click Verify for an HS256 check.

FAQ

Is my token sent to a server?
No. Decoding and verification happen locally with the Web Crypto API — neither the token nor the secret leaves your device.
Does decoding mean the JWT is verified?
No. Decoding just reads the contents and anyone can do it. To confirm a token is untampered you must verify the signature with the right secret — this tool supports HS256.
Does it support RS256 and other algorithms?
Verification currently supports HS256 (shared secret) only. RS256 and other asymmetric tokens still decode fine here — you just can’t verify them in this tool.

Related tools