Skip to content

Security Utility

JWT Decoder / Encoder

Decode payloads, verify HS signatures, test candidate secrets, and generate signed JWTs directly in your browser.

Decode + Verify

JWT token

Secret (single verify)

Candidate secrets (one per line)

Use this to test multiple potential secrets quickly.

Encode

Header JSON

Payload JSON

Signing secret

Required for HS256/HS384/HS512. Leave empty only when header alg is "none".

What this JWT tool supports

  • Decode header, payload, and signature from any JWT.
  • Verify HMAC signatures for HS256, HS384, and HS512 tokens.
  • Test multiple candidate secrets in one click.
  • Generate signed JWTs from editable header and payload JSON.
  • Render exp, iat, and nbf claims as ISO, local, and relative times.

Verification scope

Signature verification in this page currently covers HMAC-based JWTs (HS256/HS384/HS512). RSA/ECDSA algorithms such as RS256 or ES256 require public-key verification flows and are intentionally out of scope for this browser-only secret testing workflow.

FAQs

What are the three parts of a JWT?

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (algorithm and token type), the Payload (claims such as user ID, expiration, and issuer), and the Signature (a cryptographic hash that verifies the token has not been tampered with).

Is decoding a JWT the same as verifying it?

No. Decoding reads the Header and Payload, while verification checks whether the Signature is valid for a key. This tool can verify HMAC JWTs (HS256/HS384/HS512) with supplied secrets and also run candidate secret testing.

Can I use an expired JWT?

Most servers reject expired tokens. The "exp" claim is a Unix timestamp indicating when the token expires. This tool shows the expiration status so you can quickly check whether a token is still valid.

What is the difference between HS256 and RS256?

HS256 uses a shared secret key (HMAC with SHA-256) for signing and verification. RS256 uses an RSA key pair — a private key to sign and a public key to verify. RS256 is preferred when the verifier should not have the signing key.

Is it safe to paste my JWT into an online tool?

This tool runs entirely in your browser — your token is never sent to any server. However, JWTs in general should be treated as sensitive because the payload often contains user information. Avoid pasting production tokens into tools that transmit data to a backend.

Is Free JWT Decoder/Encoder Online — Decode, Verify, and Generate free to use?

Free JWT Decoder/Encoder Online — Decode, Verify, and Generate is completely free and runs in your browser.

Does Free JWT Decoder/Encoder Online — Decode, Verify, and Generate send my data to a server?

No. Free JWT Decoder/Encoder Online — Decode, Verify, and Generate processes input directly in your browser.

Do I need to create an account to use Free JWT Decoder/Encoder Online — Decode, Verify, and Generate?

No account is required to use Free JWT Decoder/Encoder Online — Decode, Verify, and Generate.

Privacy-first by design

Tool inputs are processed in your browser. Review the Privacy Policy and Terms for full details.

Related Tools

All Tools

Base64 Encoder

Encode and decode Base64 strings instantly.

Open Tool →

Hash Generator

Generate MD5, SHA1, SHA256 hashes securely.

Open Tool →

HMAC Generator

Generate HMAC digests using SHA-1/256/512.

Open Tool →

URL Query Parser

Inspect query parameters as key/value pairs.

Open Tool →