Your data stays private — tokens are decoded, encoded, and verified entirely in your browser.
Your data stays private — tokens are decoded, encoded, and verified entirely in your browser.
A JSON Web Token (JWT) is a compact, URL-safe token made of three base64url-encoded parts — a header, a payload, and a signature — separated by dots. Use the Decoder to inspect and verify a token, or the Encoder to build and sign a new one. Everything runs locally in your browser.
Yes. Decoding, encoding, and signature verification all happen on your device using the browser's built-in Web Crypto API. Your token and keys are never uploaded or logged.
No — and this is important. Anyone can read a JWT's header and payload without any key, because they're only base64-encoded, not encrypted. Decoding proves nothing about authenticity. Only signature verification (entering the correct key) confirms the token was issued by who it claims and hasn't been tampered with.
Standard signed JWTs are not encrypted — the payload is readable by anyone who has the token. Never put passwords or secrets in a JWT payload.
Enter the signing key in the key field: the shared secret for HMAC algorithms (HS256/384/512), or a PEM public key for asymmetric ones (RS*, PS*, ES*). The tool re-computes and checks the signature and shows whether it is valid.
HS256, HS384, HS512, RS256, RS384, RS512, PS256, PS384, PS512, ES256, ES384, and ES512.
Keys must be in PKCS#8 (private) or SPKI (public) PEM format — i.e. -----BEGIN PRIVATE KEY----- or -----BEGIN PUBLIC KEY-----. PKCS#1 keys (-----BEGIN RSA PRIVATE KEY-----) aren't supported by the browser's crypto API; convert them to PKCS#8 first.