JWT Decoder & Verifier

Paste a JSON Web Token to inspect its header, payload, and signature. Verify HS256, RS256, ES256, and PS256 signatures entirely in your browser. Nothing is uploaded.

Encoded token

Header —

Paste a token above to decode the header.

Payload —

Paste a token above to decode the payload.

Verify signature

Algorithm

Secret (HMAC) or PEM public key

RFC 7519 — JWT spec

The official JSON Web Token specification. The normative reference for claim names, header parameters, and signature algorithms.

RFC 7515 — JWS spec

JSON Web Signature. Defines the alg parameter, the three-part base64url structure, and the rules for HS256/RS256/ES256/PS256.

IANA JWT registry

Registered JWT header parameters and claim names. The canonical list of standard claims like iss, sub, aud, exp, nbf, iat, jti.

Frequently asked questions

Is my token uploaded anywhere?

No. Decoding happens entirely in your browser using atob and JSON.parse. The verification step uses the Web Crypto API locally. Network requests are only made for the page itself.

What algorithms are supported?

All alg values in the JWS spec: HS256/384/512, RS256/384/512, ES256/384, and PS256/384/512. Signature verification uses the browser's built-in Web Crypto API, so no third-party cryptography libraries are loaded.

Why does my HS256 token fail verification with the same secret?

HMAC secrets are bytes, not strings. If the secret was generated with openssl rand -hex 32 or similar, paste the raw hex or base64 value. If it was created with a JWT_SECRET=*** env file, paste the literal string my-secret. Whitespace and trailing newlines matter.

What do the green / amber / red badges mean?

The exp, nbf, and iat claims are checked against the current time. VALID means the token is within its validity window. SOON means it expires in under 1 hour. EXPIRED means the current time is past exp.