JWT Decoder & Validator
Decode a JWT's header and payload, inspect its claims, and verify an HS256 signature.
Updated: June 26, 2026
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe way to represent claims between
two parties. It has three Base64url-encoded parts separated by dots:
header.payload.signature. The header names the signing algorithm,
the payload carries the claims (who the user is, when the token expires), and
the signature lets the recipient verify the token wasn't tampered with.
What this tool shows you
Paste a token and it instantly decodes the header and payload into readable JSON, then interprets the standard time claims so you can see at a glance whether the token is still valid:
exp— expiration time; the tool flags an expired token.nbf— "not before"; flags a token that isn't valid yet.iat— issued-at time, shown for reference.
The decoding is just Base64url + JSON — it does not prove the token is genuine. Anyone can read a JWT's payload, which is why you should never put secrets in it.
Verifying the signature
To confirm a token is authentic you must check its signature against the signing key. This tool can verify the most common case — HS256 (HMAC-SHA256) — directly in your browser: paste the shared secret and it recomputes the signature and compares. If it matches, the token was signed with that secret and hasn't been altered. Asymmetric algorithms (RS256, ES256) verify against a public key instead and aren't covered here.
Security notes
- The payload is readable by anyone. Treat it as public. Never store passwords, full card numbers or other secrets in claims.
-
Always verify the signature server-side and reject tokens
whose
algisnoneor doesn't match what you expect. - Check expiry on every request. A decoded-but-expired token must be rejected.
Privacy
Tokens often contain real session data, so privacy matters: this decoder runs entirely in your browser and never transmits the token or secret. The Base64url parts are decoded with the same primitives behind our Base64 tool, and signature verification uses HMAC just like the HMAC generator.
Frequently asked questions
Is it safe to paste a JWT into this tool?
Yes. Decoding and HS256 verification happen entirely in your browser with JavaScript. Neither the token nor the secret is ever sent to a server.
Can anyone read the contents of a JWT?
Yes. The header and payload are only Base64url-encoded, not encrypted. Anyone holding the token can read the claims, so never store secrets in a JWT payload.
Does decoding a JWT mean it's valid?
No. Decoding only reads the data. A token is valid only if its signature verifies against the correct key and its time claims (exp/nbf) are satisfied. Always verify server-side.
Which signature algorithms can this tool verify?
It verifies HS256 (HMAC-SHA256) when you provide the shared secret. Asymmetric algorithms like RS256 and ES256 require a public key and are not verified here.
Authentication & identity platforms
If you issue and validate JWTs in production, a managed identity provider removes a lot of risk:
- Identity provider / auth platform Offload token issuance, rotation and verification (OAuth 2.0 / OIDC) to a battle-tested service.
- API gateway Validate JWTs, enforce scopes and reject expired tokens at the edge before requests reach your services.
Related tools
- Base64 Encode / DecodeConvert text to Base64 and back, with full Unicode (UTF-8) support.
- HMAC Generator (SHA-1, SHA-256, SHA-512)Compute an HMAC from a message and secret key using SHA-1/256/384/512, as hex or Base64.
- Hash Generator (MD5, SHA-1, SHA-256, SHA-512)Compute MD5, SHA-1, SHA-256, SHA-384 and SHA-512 digests from any text.
- URL Encode / DecodePercent-encode text for safe use in URLs, or decode %xx sequences back.