JWT Decoder
Paste a JWT to decode the header, payload and signature with color-coded parts, expiry countdown, and a token-lifetime bar. Verify HMAC signatures (HS256/384/512) with the secret using the Web Crypto API, or switch to Sign & build to mint new tokens. Nothing is uploaded — everything runs in your browser.
All decoding, signing and verification happen in your browser via the Web Crypto API.
How to use this jwt decoder
- Paste your JWT into the input — header, payload and signature parse instantly.
- Read the algorithm, expiration, and color-coded claims with descriptions for the standard ones.
- Enter the secret to verify HS256/384/512 signatures via the Web Crypto API.
- Switch to Sign & build to mint a new JWT from header + payload JSON and a secret.
- Use 'Set iat=now & exp=+1h' for a quick test token.
Frequently asked questions
Why does my JWT show as expired but my backend still accepts it?
Likely clock skew. Many JWT libraries allow a 30-60 second leeway around `exp` and `iat` to handle servers with slightly different clocks. The decoder uses your browser's clock with no leeway — so a token that 'just' expired in your view may still be valid server-side. Also verify the secret matches: a wrong secret silently passes decode but should fail verify.
Which algorithms can be verified?
HMAC-SHA only (HS256, HS384, HS512). Asymmetric algorithms like RS256, ES256 and EdDSA still decode normally, but they need a public key to verify and aren't supported here.
Can I trust an unsigned JWT?
Never accept an alg of 'none' in production — that means the token is unsigned. The decoder flags it.
Why do I see Unix timestamps for exp/iat?
JWT spec stores time as Unix seconds. The tool shows both the raw number and a localized date.