Free, browser-based utilities for everyday developer workflows

JWT Decoder

Decode JSON Web Tokens (JWTs) in your browser. This tool decodes the header and payload using Base64URL and formats them as JSON. It can verify HMAC signatures (HS256/384/512) when you provide the shared secret. Do not paste secrets or tokens you do not control.

  • Decode JWT header and payload instantly.
  • Inspect claims like exp, iat, aud, iss.
  • Verify HMAC signatures (HS256/384/512) with a secret.

Use cases

Decode a JWT Token

Explore more in the Use cases library.

Token input

Paste a full JWT below in the format header.payload.signature. Only the first two parts are decoded; the signature is shown as-is.

Header
Payload (claims)
Signature (Base64URL)
Not verified
Algorithm: -

Signature verification is supported for HS256, HS384, and HS512 when you provide the shared secret. For RS256, ES256, and other asymmetric algorithms, use the JWT & OAuth Security Toolkit.

Next: JWT & OAuth Toolkit Base64 Tool Certificate & PEM Tools

How to use JWT Decoder

Paste a JSON Web Token into the input field. The tool splits it into header, payload, and signature segments, Base64URL-decodes each, and displays the JSON content in a formatted, readable view alongside the expiry time.

Common use cases

Developers use this to quickly inspect the claims inside a token during debugging — checking expiry, audience, issuer, and custom fields. Security engineers use it to audit token payloads for over-permissive claims, and QA teams use it to verify that authentication flows issue correctly structured tokens.

Why run this in your browser?

All processing happens locally in your browser. Your data never leaves your machine, making it safe for sensitive payloads, internal API responses, and confidential configurations.