
Developer Tool
Understand JWT token structure at a glance, extract claims, and verify signatures. All processing happens in your browser.
JWT is an encoded JSON string designed to securely transmit information. It has three parts separated by dots: a header (token type and algorithm), a payload (user information called claims), and a signature (to verify the token hasn't been tampered with). You typically receive JWTs from authentication systems after login, or use them as access tokens in API requests.
Although tokens aren't encrypted, they are base64-encoded and unreadable as-is. Decoding a JWT lets you see the information it contains (issuer, expiration time, user ID, etc.) at a glance. During development, it's essential to verify that your token carries the right information and hasn't expired.
Yes, completely safe. This tool runs 100% in your browser. The JWT token or signing key you paste is never sent to a server and never leaves your device. All parsing and verification happen locally on your computer. Even in development, never paste production secret keys into untrusted tools.
Yes, it's completely safe. This tool does all processing in your browser only. Your token and secret key are never sent anywhere or stored. Feel free to use it for testing during development.
For HMAC (HS256/384/512), you need the secret key used to create the signature. For RSA/ECDSA (RS256/ES256), you need the public key in PEM format. The public key is usually available from the issuer's authentication server via a JWKS (JSON Web Key Set) URL.
Currently, it supports HS256, HS384, HS512 (HMAC), RS256 (RSA), and ES256 (ECDSA). EdDSA (Ed25519) and other advanced algorithms are not yet supported.
An expired token shows a red banner with '⛔ Expired' status. If the expiration time (exp claim) is earlier than the current time, it's expired. You can still verify the signature, but a real server would reject it.
Claims are pieces of information in the JWT payload. Standard claims like iss (issuer), sub (subject), exp (expiration), and iat (issued at) are defined by the JWT specification. Custom claims are application-specific information added as needed.