JWT Decoder & Verifier

Decode, humanise and verify JSON Web Tokens — all client-side

✨ New🔒 Browser Only
Your token never leaves your browser
Decoding, humanising and signature verification all run with the Web Crypto API. We never send your token to our servers — not even to our analytics.

JWT

CtrlLload exampleCtrlKclearCtrlCcopy focused value
## A JWT decoder you can actually trust Pasting a production token into a random web tool is a terrible idea — the tool you used yesterday might log it, keep it, or accidentally expose it. **This JWT Decoder runs entirely in your browser**: parsing, signature verification and even analytics never touch your token. Nothing is uploaded, nothing is logged, nothing is stored unless you explicitly enable history. ### What makes it different - **Structure-first parser.** If your token is broken, we tell you exactly which segment (header / payload / signature), the error kind, and the raw characters involved — not a generic "invalid". - **Humanised claims.** Standard RFC 7519 claims (`exp`, `nbf`, `iat`, `iss`, `sub`, `aud`, `jti`, `auth_time`) are rendered with readable labels, absolute dates in your timezone, and a relative "expires in 42 minutes" hint. Expired or not-yet-valid tokens are highlighted immediately. - **Real signature verification.** HS256/384/512 and RS256/384/512 are supported through the browser's native Web Crypto API — no JavaScript crypto library, no network call. Drop a PEM public key or an HMAC secret and get live `valid / invalid` feedback. - **Explicit `alg: none` warning.** The decoder refuses to claim an unsigned token is "valid" and tells you why those tokens should never be accepted by a server. - **Copy anywhere.** One-click copy for the raw token, each decoded JSON, any individual claim, or the fully humanised summary. - **Keyboard-first.** Load the example with `Ctrl+L`, clear with `Ctrl+K`, paste a `Bearer …` header and watch the prefix strip itself. Privacy-sensitive tools deserve privacy-first UX. This one is ours.

Frequently Asked Questions

Everything you need to know about this tool

No. Every step — base64url decode, JSON parse, humanising claims, signature verification — runs inside your browser with the Web Crypto API. We also never attach the token to any analytics event.

HS256, HS384 and HS512 with a shared secret, and RS256, RS384 and RS512 with a PEM-encoded RSA public key. ES* and PS* tokens can still be decoded, but verification is not yet available.

We display the decoded content and mark it explicitly as Unsigned. Production servers should reject such tokens on principle — our status banner says so.

Clocks differ. We compare your local clock to the exp / nbf claims. A 30–60 second skew between the client and the issuer is normal; production validators usually allow it. You can ignore "Expires soon" warnings within that window.

Invalid means the signature bytes did not match. Key error means the key material itself was unusable — wrong PEM format, missing BEGIN/END markers, or a RSA public key supplied for an HMAC token. Check the key, not the signature.

It is a locally-signed HS256 demo with the secret "doctools" baked into the page source so you can try signature verification without hunting for a token. It is not a production key from anyone.

Related Tools

🔑

Password Generator

Generate strong random passwords

{ }

JSON / CSV / XML Formatter

Format, validate, and convert data formats

🎨

Color Picker & Converter

Convert between HEX, RGB, HSL, CMYK color formats