Skip to main content
FREE WEB
UTILITIES
🏠 Home

Generators

Generate QR codes & more

QR Code Generator
View All →
🔧 All Tools
Developer Security Tool
🔐

JWT Decoder & Encoder

Paste a JWT and see its header, payload, and claims decoded into readable JSON. Or build a new token from scratch for API testing. Runs entirely in your browser — no token data leaves your machine.

🔓
Decode
Any JWT
🔐
Encode
Create JWT
Instant Decode
Privacy First
Free Forever

JWT Decoder & Encoder

Decode, verify, and create JWT tokens

Encoded JWT Token

💡 Paste any JWT token to instantly decode it

📊

JWT Token Facts

Understanding JSON Web Tokens

🔐
9
Algorithms

Supported signing methods

🔒
100%
Client-Side

No server upload

Instant
Processing

Real-time decode

📦
3 Parts
Token Structure

Header.Payload.Signature

💡 Pro Tip: JWTs provide integrity through signatures but are NOT encrypted. Don't store sensitive data in JWT payloads.

📖

How to Use This Tool

Step-by-step guide to get started

Decoding a JWT

Copy your token from wherever it lives — a browser cookie, a request header, an API response, a log file — and paste it into the input field. Select "Decode" and you'll see the header and payload displayed as formatted JSON side by side. The tool also calls out important claims like expiration time and converts Unix timestamps to human-readable dates so you don't have to calculate manually.

If the token is malformed (wrong number of segments, invalid Base64URL characters), you'll get an error message explaining what's wrong rather than silent garbage output.

Encoding a JWT

Switch to the Encode tab. Enter your header JSON (the algorithm and token type), your payload JSON with whatever claims you need, and your secret or private key. Choose your algorithm and click Generate. The resulting signed token is ready to copy into your API testing tool, Postman, curl request, or wherever you need it.

This is particularly handy when you need to test edge cases — an expired token, a token with a missing required claim, or a token signed with a different secret than expected.

Quick Tip: Follow these steps in order for the best experience

🧠

How JWT Works

Understanding the structure of JSON Web Tokens

Technical Overview

The JWT Decoder & Encoder follows the JSON Web Token specification (RFC 7519) to split, decode, and generate tokens. A JWT consists of three Base64URL-encoded parts separated by periods.

JWT Structure

Each token is divided into header, payload, and signature components:

xxxxx.yyyyy.zzzzz

The header and payload are JSON objects encoded using Base64URL encoding.

Decoding Process

  • Header: Decoded to reveal algorithm and token type
  • Payload: Decoded to show claims and custom data
  • Signature: Displayed for inspection but not decrypted

Encoding Process

When encoding, the tool Base64URL-encodes the header and payload, then signs them using the selected algorithm and secret or key to produce the signature.

All processing happens locally in your browser, ensuring accuracy while following JWT standards.

Science-Backed

Based on proven research

Easy to Follow

Simple steps for everyone

Instant Results

Get answers immediately

💡 Pro Tip: Remember: JWTs provide integrity (signatures), not confidentiality. Don't store sensitive data in the payload!

Frequently Asked Questions

Find answers to common questions about JWT

A JSON Web Token (JWT) is a compact, self-contained way to transmit information between parties as a signed JSON object. You'd need to decode one when debugging an authentication flow — to check what claims are inside, whether the token has expired, what algorithm signed it, or why a protected route is rejecting it.

The decoding runs entirely in your browser. No data is sent to a server or stored anywhere. That said, for production tokens that carry sensitive information, use this in a private browsing session and avoid pasting them into any tool you haven't verified. Development and test tokens are fine.

The tool supports HS256, HS384, HS512 (HMAC with SHA), and RS256 (RSA with SHA-256). These cover the vast majority of JWT implementations in the wild.

Paste the full JWT string — all three dot-separated parts — into the input field and select Decode. The header and payload appear as formatted JSON immediately.

Decoding reads the contents of the token without checking whether it's valid. Anyone can decode a JWT because the payload is only Base64URL-encoded, not encrypted. Verification is different — it uses the secret key or public key to confirm that the signature is valid and the token hasn't been tampered with. This tool does decoding; signature verification requires the key.

JWTs must have exactly three segments separated by dots. The most common causes of this error are: extra whitespace or line breaks in the pasted token, a truncated token (check that you copied the whole thing), or a value that's a session ID or opaque token rather than an actual JWT.

Yes. The header and payload are a direct Base64URL decode of what's in the token. There's no interpretation or transformation — if the token says exp: 1700000000, that's what you'll see (along with the converted human-readable date).

Yes, that's exactly what the encoder is for. Specify your claims, choose your algorithm, enter your secret, and generate a signed token you can use in Postman, curl, or your integration tests.

No. Everything runs client-side in your browser. Nothing is transmitted to a server. Your tokens are never stored, logged, or shared.

JWTs have an exp (expiration) claim that contains a Unix timestamp. If the current time is past that timestamp, the token is expired. This is working as designed — your application should reject expired tokens. To fix it, generate a new token with a future exp value, or adjust the expiration logic on your auth server.

Still have questions? Feel free to leave a comment below and we'll help you out!

💬

Comments & Feedback

Share your thoughts and experiences

Leave a Comment

We'd love to hear from you

Your email won't be published

Be respectful and constructive

Be the first! No comments yet. Share your experience and help others!