JWT Decode
Inspect JWT header & payload.
A free JWT decoder that splits and pretty-prints the header and payload, shows live expiry, and can optionally verify an HS256 signature with your secret. It all runs locally — your token is never uploaded.
How to use
- Paste a full JWT (header.payload.signature) into the box.
- Read the decoded header, payload, and the Valid / Expired tag with a live expiry countdown.
- To verify, enter your key in the secret field and click Verify for an HS256 check.
FAQ
- Is my token sent to a server?
- No. Decoding and verification happen locally with the Web Crypto API — neither the token nor the secret leaves your device.
- Does decoding mean the JWT is verified?
- No. Decoding just reads the contents and anyone can do it. To confirm a token is untampered you must verify the signature with the right secret — this tool supports HS256.
- Does it support RS256 and other algorithms?
- Verification currently supports HS256 (shared secret) only. RS256 and other asymmetric tokens still decode fine here — you just can’t verify them in this tool.
Related tools
- 2FA Authenticator — End-to-end encrypted 2FA vault with live codes.
- Password Vault — Zero-knowledge vault for site logins; survives password changes.
- Data Format — Convert between JSON, YAML, TOML, CSV.
- Base64 — Encode / decode text & files in Base64.
- URL Encode — Encode / decode URL components.
- Regex Tester — Live-highlight matches, debug regex.