JWT Decoder, Validator & Encoder
- Home
- > Web Dev >
- JWT Decoder & Validator
Claims
Header
Payload
Signature
Validate the signature of the JWT token pasted in the Decode tab.
Generate a new JWT token with custom header and payload.
What is JWT (JSON Web Token)?
JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way to securely transmit information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.
JWTs are commonly used for authentication and authorization in web applications, mobile apps, and API services. A JWT consists of three parts separated by dots (header.payload.signature), each encoded in Base64url format.
- Header: Contains the signing algorithm and token type.
- Payload: Contains the claims (statements about an entity and additional data).
- Signature: Verifies that the token hasn't been tampered with.
How to Use This JWT Tool
- Decode — Paste any JWT token to instantly decode and inspect its header, payload, and signature. The tool automatically detects the algorithm, checks expiration, and displays registered claims.
- Validate — Verify the integrity of a JWT by checking its signature using a secret key (for HS256/HS384/HS512) or a public key in PEM format (for RS256/RS384/RS512/ES256/ES384/ES512).
- Encode — Create a new JWT token by providing a custom header, payload, and signing key. The tool will generate the complete signed token.
- Copy & Download — Use the copy buttons to copy individual parts (header, payload, signature) or the entire token to your clipboard. Download header or payload as JSON files.
Frequently Asked Questions
What does JWT stand for?
JWT stands for JSON Web Token, an open standard for securely transmitting information between parties as a JSON object.
Can I decode a JWT without the secret key?
Yes! The header and payload of a JWT are only Base64url-encoded, not encrypted. Anyone can decode them to read the contents. The signature is what prevents tampering — you need the key to verify it.
Is it safe to paste my JWT here?
Yes. All processing happens 100% client-side in your browser. Your tokens are never sent to any server. You can verify this by checking the Network tab in your browser's developer tools.
What is the difference between HS256 and RS256?
HS256 (HMAC with SHA-256) uses a single shared secret key for both signing and verification. RS256 (RSA with SHA-256) uses a private key to sign and a public key to verify, making it suitable for scenarios where the verifier shouldn't be able to create new tokens.
Why does my token show "expired" or "no expiration"?
The tool checks the exp (expiration) claim in the payload. If the token's expiration time has passed, it shows "Expired". If there is no exp claim, it shows "No expiration set" — which is generally not recommended for security.
