Skip to main content
FREE WEB
UTILITIES
🏠 Home

Generators

Generate QR codes & more

QR Code Generator
View All →
🔧 All Tools
Developer Security Tool
🔐

JWT Decoder & Encoder

Free online JWT token decoder, encoder, and debugger. Decode JWT headers and payloads, verify signatures with multiple algorithms (HS256, RS256, ES256), validate claims, and encode new tokens. Features include token history, expiration checker, JSON formatting, and share functionality.

🔓
Decode
Any JWT
🔐
Encode
Create JWT
Instant Decode
Privacy First
Free Forever

JWT Decoder & Encoder

Decode, verify, and create JWT tokens

Encoded JWT Token

💡 Paste any JWT token to instantly decode it

📊

JWT Token Facts

Understanding JSON Web Tokens

🔐
9
Algorithms

Supported signing methods

🔒
100%
Client-Side

No server upload

Instant
Processing

Real-time decode

📦
3 Parts
Token Structure

Header.Payload.Signature

💡 Pro Tip: JWTs provide integrity through signatures but are NOT encrypted. Don't store sensitive data in JWT payloads.

📖

How to Use This Tool

Step-by-step guide to get started

How to Decode a JWT Token

  1. Paste Your Token: Copy and paste your JWT token into the "Encoded" textarea in the Decoder tab
  2. Auto-Parse: The token will automatically parse and display the decoded Header and Payload as formatted JSON
  3. View Token Info: Check the token information panel to see algorithm, issued at, expires at, and token size
  4. Verify Signature (Optional):
    • For HMAC algorithms (HS256/384/512): Enter your secret key
    • For RSA algorithms (RS256/384/512): Paste your public key in PEM format
    • For ECDSA algorithms (ES256/384/512): Paste your public key in PEM format
    • Click "Verify Signature" button
  5. Validate Claims: Automatic validation shows if the token is expired, not yet valid, or currently valid with countdown timer
  6. Export Data: Click export buttons to download the header or payload as JSON files

How to Encode a JWT Token

  1. Switch to Encoder Tab: Click the "Encoder" tab
  2. Edit Header: Modify the header JSON to set your desired algorithm and type
    • Example: {"alg": "HS256", "typ": "JWT"}
  3. Edit Payload: Add your claims to the payload JSON
    • Use quick-add buttons for common claims (exp, iat, nbf)
    • Add custom claims as needed
    • Example: {"sub": "1234567890", "name": "John Doe", "admin": true}
  4. Select Algorithm: Choose your signing algorithm from the dropdown
    • HMAC: HS256, HS384, HS512 (symmetric key)
    • RSA: RS256, RS384, RS512 (asymmetric key pair)
    • ECDSA: ES256, ES384, ES512 (elliptic curve)
  5. Enter Secret/Key:
    • For HMAC: Enter your secret key as a string
    • For RSA/ECDSA: Paste your private key in PEM format
  6. Generate Token: Click "Generate JWT" button
  7. Copy Token: Use the copy button to copy the generated token to your clipboard

Using Token History

  1. Recently decoded tokens are automatically saved to your browser's local storage
  2. Access your token history by clicking the "History" button
  3. Select a token from the list to reload it into the decoder
  4. Clear history using the "Clear History" button if needed

Quick Tip: Follow these steps in order for the best experience

🧠

How JWT Works

Understanding the structure of JSON Web Tokens

JWT Structure

A JWT token consists of three parts separated by dots (.):

header.payload.signature

1. Header

The header typically consists of two parts: the type of token (JWT) and the signing algorithm being used.

{\n  "alg": "HS256",\n  "typ": "JWT"\n}

2. Payload

The payload contains the claims. Claims are statements about an entity (typically the user) and additional data. There are three types of claims:

  • Registered claims: Predefined claims like iss (issuer), exp (expiration), sub (subject), aud (audience)
  • Public claims: Custom claims that should be defined in the IANA JSON Web Token Registry
  • Private claims: Custom claims created to share information between parties
{\n  "sub": "1234567890",\n  "name": "John Doe",\n  "iat": 1516239022,\n  "exp": 1516242622\n}

3. Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. To create the signature, you take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

HMACSHA256(\n  base64UrlEncode(header) + "." +\n  base64UrlEncode(payload),\n  secret\n)

Signature Verification

To verify a JWT signature:

  1. Recreate the signature using the header and payload from the token along with the secret/key
  2. Compare the recreated signature with the signature part of the token
  3. If they match, the token is valid and untampered

Claim Validation

Common claims to validate include:

  • exp (Expiration Time): Ensure the token has not expired
  • iat (Issued At): Check if the token was issued in a valid timeframe
  • nbf (Not Before): Ensure the token is not used before a certain time

Science-Backed

Based on proven research

Easy to Follow

Simple steps for everyone

Instant Results

Get answers immediately

💡 Pro Tip: Remember: JWTs provide integrity (signatures), not confidentiality. Don't store sensitive data in the payload!

Frequently Asked Questions

Find answers to common questions about JWT

A JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three parts: header, payload, and signature. JWTs are commonly used for authentication and authorization in web applications.

Yes, absolutely! All JWT decoding and encoding happens entirely in your browser using JavaScript. No data is sent to our servers. Your tokens and secrets remain completely private. However, as a best practice, avoid using production tokens or real secrets on any online tool.

Our tool supports 9 JWT algorithms: HS256, HS384, HS512 (HMAC with SHA), RS256, RS384, RS512 (RSA with SHA), and ES256, ES384, ES512 (ECDSA with SHA). HMAC algorithms use symmetric keys, while RSA and ECDSA use asymmetric key pairs.

To verify a JWT signature: 1) Paste your token in the decoder, 2) Enter your secret key (for HMAC algorithms) or public key (for RSA/ECDSA algorithms), 3) Click "Verify Signature". The tool will indicate whether the signature is valid. A valid signature means the token hasn't been tampered with.

JWT claims are statements about an entity. Common registered claims include: exp (expiration time) - when the token expires, iat (issued at) - when the token was created, nbf (not before) - the time before which the token should not be accepted. Our tool automatically validates these claims and shows a countdown timer for expiration.

While all processing happens locally in your browser, we recommend using this tool only for development and debugging purposes. For production environments, use official JWT libraries in your programming language. Never paste production secrets or sensitive tokens into any online tool as a security best practice.

HS256 uses HMAC with SHA-256 and requires a shared secret key for both signing and verification (symmetric). RS256 uses RSA with SHA-256 and uses a private key for signing and a public key for verification (asymmetric). RS256 is generally preferred for production as it allows public verification without exposing the signing key.

In the Encoder tab, you can add custom claims by editing the payload JSON. Simply add your custom fields to the JSON object. For example: {"sub": "1234", "name": "John", "role": "admin", "customField": "value"}. Custom claims can be any valid JSON data type (string, number, boolean, array, object).

A JWT can be invalid for several reasons: 1) Incorrect format (must have 3 parts separated by dots), 2) Invalid Base64URL encoding, 3) Malformed JSON in header or payload, 4) Signature verification failed (wrong secret/key), 5) Token expired (exp claim in the past), 6) Token not yet valid (nbf claim in the future). Check the error message for specific details.

Yes! You can decode and view the header and payload of any JWT without the secret key. JWTs are Base64URL encoded, not encrypted, so the data is readable by anyone. However, you need the secret key to verify the signature and confirm that the token hasn't been tampered with. Remember: JWTs provide integrity (through signatures), not confidentiality.

Still have questions? Feel free to leave a comment below and we'll help you out!

💬

Comments & Feedback

Share your thoughts and experiences

Leave a Comment

We'd love to hear from you

Your email won't be published

Be respectful and constructive

Be the first! No comments yet. Share your experience and help others!