JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It contains a header, payload, and signature.

Is decoding a JWT safe?

Yes. Decoding a JWT only reveals its header and payload; it does not prove authenticity. Signature validation is required to trust the token.

Does this tool validate JWT signatures?

It supports local HS256 (HMAC-SHA256) signature validation. For RS256 (public key) validation, upload or paste the public key in PEM format (if the UI supports it).

Does this tool send my tokens to a server?

No. All decoding and validation are performed locally in your browser. No data is uploaded.

Can I view token expiry or issued-at claims?

Yes. The decoded payload will show standard claims like exp, iat, and nbf where available.

Can I validate HS256 tokens if I only have the public key?

No — HS256 requires the secret key used to sign the token. For RSA algorithms (RS256), you need the public key to validate signatures.

JWT Decoder — Inspect, Decode & Validate JSON Web Tokens

Decode JWTs instantly with our free JWT Decoder. Inspect header, payload, and signature, view pretty-printed JSON, and optionally validate HS256 signatures locally. The tool is built for developers, security engineers, and QA teams — fast, privacy-first, and 100% client-side.

Key features

Decode header & payload: Base64URL decode JWT parts and view formatted JSON.
Signature validation (HS256): Validate HMAC-SHA256 signatures locally using a secret key.
History & quick-load: Save recent tokens locally for fast debugging.
Copy & export: Copy decoded JSON or download payloads for debugging and analysis.
Privacy-first: All decoding & validation happens in your browser — no server uploads.

How to use the JWT Decoder

Paste your JWT string into the input box (the token must have three dot-separated parts).
Click Decode to view the decoded header and payload as pretty JSON.
To validate a HS256 signature, provide the secret key and click Validate Signature.
Copy or download decoded JSON for logs, debugging, or reporting.

Common use cases

Debugging authentication tokens from APIs and apps
Inspecting claims, issued-at, expiry, and scopes
Verifying webhooks and server-signed tokens locally
Teaching and debugging JWT behavior in dev environments

Frequently Asked Questions (FAQ)

What is a JWT?: JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It contains a header, payload, and signature.
Is decoding a JWT safe?: Yes. Decoding a JWT only reveals its header and payload; it does not prove authenticity. Signature validation is required to trust the token.
Does this tool validate JWT signatures?: It supports local HS256 (HMAC-SHA256) signature validation. For RS256 (public key) validation, upload or paste the public key in PEM format (if the UI supports it).
Does this tool send my tokens to a server?: No. All decoding and validation are performed locally in your browser. No data is uploaded.
Can I view token expiry or issued-at claims?: Yes. The decoded payload will show standard claims like exp, iat, and nbf where available.
Can I validate HS256 tokens if I only have the public key?: No — HS256 requires the secret key used to sign the token. For RSA algorithms (RS256), you need the public key to validate signatures.

JWT Decoder (JSON Web Token)

JWT Decoder — Inspect, Decode & Validate JSON Web Tokens

Key features

How to use the JWT Decoder

Common use cases

Frequently Asked Questions (FAQ)

Related Developer Tools