Advertisement
Advertisement

Free online JWT decoder, verifier and encoder — decode, verify, and sign JSON Web Tokens in your browser.

Your data stays private — tokens are decoded, encoded, and verified entirely in your browser.


            
          

            
          
Advertisement

About JSON Web Tokens

A JSON Web Token (JWT) is a compact, URL-safe token made of three base64url-encoded parts — a header, a payload, and a signature — separated by dots. Use the Decoder to inspect and verify a token, or the Encoder to build and sign a new one. Everything runs locally in your browser.

Is it safe to paste my token here?

Yes. Decoding, encoding, and signature verification all happen on your device using the browser's built-in Web Crypto API. Your token and keys are never uploaded or logged.

Does decoding a JWT verify it?

No — and this is important. Anyone can read a JWT's header and payload without any key, because they're only base64-encoded, not encrypted. Decoding proves nothing about authenticity. Only signature verification (entering the correct key) confirms the token was issued by who it claims and hasn't been tampered with.

Are JWTs encrypted?

Standard signed JWTs are not encrypted — the payload is readable by anyone who has the token. Never put passwords or secrets in a JWT payload.

How do I verify a signature?

Enter the signing key in the key field: the shared secret for HMAC algorithms (HS256/384/512), or a PEM public key for asymmetric ones (RS*, PS*, ES*). The tool re-computes and checks the signature and shows whether it is valid.

Which algorithms are supported?

HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, and ES512.

Why does my public/private key fail?

Keys must be in PKCS#8 (private) or SPKI (public) PEM format — i.e. -----BEGIN PRIVATE KEY----- or -----BEGIN PUBLIC KEY-----. PKCS#1 keys (-----BEGIN RSA PRIVATE KEY-----) aren't supported by the browser's crypto API; convert them to PKCS#8 first.