🔐 JWT Decoder & Encoder

Decode any JSON Web Token instantly — or encode and sign your own. Verify HMAC signatures, live expiry countdown. Free, private, no signup.

Header

              
Payload

                
Signature

                

⚠ Signature is base64url-encoded — not encrypted. Only verifiable with the original secret.

Verification runs entirely in your browser — your token and secret never leave your device.

Generated Token

              

✓ Token generated entirely in your browser using Web Crypto API — your secret never leaves your device.

About This JWT Decoder & Encoder

This JWT decoder and encoder gives developers a complete toolkit for working with JSON Web Tokens in one place. Paste any token into the Decode tab and instantly see the header, payload, standard claims, and a live expiry countdown — all without sending data to a server. Whether you are debugging an authentication flow, chasing an unexpected 401 error, or inspecting token claims from an unfamiliar issuer, a reliable JWT decoder is one of the most-reached-for tools in a developer's daily workflow.

Two unique features make this JWT decoder stand out. First, the live expiry countdown — if the payload contains an exp claim, the tool displays a real-time timer counting down to the second, turning orange when expiry is within five minutes and red once the token has expired. Second, the Encoder tab lets you generate properly signed HMAC tokens using the browser's Web Crypto API, then instantly verify them with the built-in "Send to Decoder" round-trip test. No other free JWT decoder tool provides both decode and encode in one privacy-preserving, fully client-side interface.

Decoding a JWT — What You See

A JSON Web Token has three dot-separated parts. The header declares the algorithm and token type. The payload carries claims — user identity, permissions, and timing data. The signature is a cryptographic hash that prevents tampering. This JWT decoder color-codes all three sections, formats the JSON with syntax highlighting, and maps standard registered claims (iss, sub, aud, iat, exp, nbf) to human-readable labels automatically.

HMAC Signature Verification

Enter the secret key in the Verify Signature field and click Verify. The tool uses crypto.subtle.verify() to compute the expected HMAC and compare it to the token's signature — exactly as a backend would. This works for HS256, HS384, and HS512 tokens. RSA and EC tokens (RS256, ES256) require a public key and are not supported in this client-side tool.

Encoding and Signing JWT Tokens

The Encoder tab lets you create valid signed tokens for testing and development. Edit the payload JSON, select an algorithm, enter a secret, and click Generate. The token is signed client-side using crypto.subtle.sign() — your secret never leaves the browser. Use "Add Expiry" to append a 1-hour exp claim, then "Send to Decoder" to immediately verify the generated token is correct.

When to Use a JWT Decoder

  • An API returns 401 Unauthorized and you need to inspect what claims the token contains
  • A token appears valid but is silently expired — the live countdown confirms this instantly
  • Audience or issuer mismatches are causing access to be denied
  • Building a new authentication integration and needing to verify token structure
  • Generating test tokens for development without spinning up an auth server

Frequently Asked Questions

A JWT decoder is a tool that splits a JSON Web Token into its header, payload, and signature, then base64url-decodes the first two into readable JSON. This lets developers inspect claims, algorithm, and expiry without needing the secret key. This tool goes further by also verifying HMAC signatures and encoding new tokens.

Paste your JWT token into the Decode tab above. The JWT decoder instantly splits it at the dots, base64url-decodes the header and payload, and displays each section as formatted JSON. Standard claims like exp, iat, and sub are labelled automatically, and the expiry countdown starts immediately if an exp claim is present.

This JWT decoder runs entirely in your browser using native Web Crypto API and atob(). No token data is sent to any server, logged, or stored. As a best practice, avoid pasting live production tokens containing sensitive user data into any online tool — even client-side ones. Use test or development tokens for debugging.

The header contains the token type and signing algorithm (e.g. HS256). The payload contains the claims — user ID, roles, expiry. The signature is a cryptographic hash that prevents tampering. The header and payload are only base64url-encoded, not encrypted — so any JWT decoder can read them without the secret. Only the signature requires the key to verify.

No. HMAC signature verification requires the original secret key. The Verify Signature feature uses crypto.subtle.verify() to compute and compare the HMAC — but you must supply the same secret used to sign the token. RSA/EC tokens (RS256, ES256) cannot be verified here as they require a public key. Always verify tokens server-side in production.

Switch to the Encode tab, edit the payload JSON, choose an algorithm (HS256, HS384, or HS512), enter a secret key, and click Generate JWT. Use "Add Expiry" to include a 1-hour expiry claim. The token is signed using crypto.subtle.sign() — your secret never leaves the browser. Click "Send to Decoder" to instantly verify the generated token is correct.