JWT Decoder
Paste a JWT to decode the header, payload and signature with color-coded parts, expiry countdown, and a token-lifetime bar. Verify HMAC signatures (HS256/384/512) with the secret using the Web Crypto API, or switch to Sign & build to mint new tokens. Nothing is uploaded — everything runs in your browser.
RS/ES (asymmetric) algorithms aren't HMAC-verifiable. The decoded contents above are still trustworthy, but the signature isn't checked here.
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "user_12345",
"name": "Jane Doe",
"admin": true,
"iat": 1746576000,
"exp": 2061936000,
"iss": "toolsrange.com",
"aud": "api"
}All decoding, signing and verification happen in your browser via the Web Crypto API.
How to use this jwt decoder
- Paste your JWT into the input — header, payload and signature parse instantly.
- Read the algorithm, expiration, and color-coded claims with descriptions for the standard ones.
- Enter the secret to verify HS256/384/512 signatures via the Web Crypto API.
- Switch to Sign & build to mint a new JWT from header + payload JSON and a secret.
- Use 'Set iat=now & exp=+1h' for a quick test token.
Frequently asked questions
Is my token sent anywhere?
No. Decoding, verification and signing all run with the Web Crypto API in your browser. The token never leaves your device.
Which algorithms can be verified?
HMAC-SHA only (HS256, HS384, HS512). Asymmetric algorithms like RS256, ES256 and EdDSA still decode normally, but they need a public key to verify and aren't supported here.
Can I trust an unsigned JWT?
Never accept an alg of 'none' in production — that means the token is unsigned. The decoder flags it.
Why do I see Unix timestamps for exp/iat?
JWT spec stores time as Unix seconds. The tool shows both the raw number and a localized date.