JWT Decoder & Verifier

Decode a JSON Web Token, read its claims, and verify its signature.

Everything runs in your browser. Your token, secret, and keys never leave this page.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
HS256

Header 

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload 

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

About this tool

A JSON Web Token (JWT) is made of three base64url-encoded parts separated by dots: a header, a payload of claims, and a signature. This decoder parses the header and payload locally and can verify the signature with your secret or public key — nothing is uploaded.

FAQ

Is my token sent to a server?
No. Decoding and signature verification run entirely in your browser using the Web Crypto API. Your token, secret, and keys never leave your device.
Which signature algorithms are supported?
HMAC (HS256/384/512) with a shared secret, and RSA, RSA-PSS, and ECDSA (RS/PS/ES 256/384/512) with a public key in PEM or JWK format.
Does it validate token expiry?
The decoder shows token status from the exp and nbf claims, but signature verification is reported separately so you can verify the signature of an already-expired token.
Can it verify a token signed with "alg: none"?
No. "alg: none" carries no signature, so the tool reports it as unverifiable and flags it as insecure.

Andrei Rovnyi

Engineering leader, founder, and software developer building web platforms, game systems, and automation tools. 13 years of shipped work — currently at Gaijin.net.

Get in Touch

Building an MVP, shipping a game feature, or automating a team workflow? Open source or paid — let's talk.

Contact Me
© 2020-2026 XPLOIT FZE. All trademarks, names and logos belong to their respective copyright holders.
Privacy PolicyTerms of UseLinks