Decode, inspect and sign any JWT

Read a token's header and claims, verify its signature, or build and sign a new one. Everything runs in your browser — nothing is ever sent to a server.

Encoded token

100% client-side. Your token never leaves this page.

How it works

No signup, no upload — just three steps.

Paste or build

Drop in any JWT to inspect it, or switch to the signer to craft a fresh token.

Read it instantly

The header and payload are decoded and the standard claims explained in plain language.

Verify or sign

Check HMAC, RSA or ECDSA signatures, or sign new tokens — all computed locally with Web Crypto.

Frequently asked questions

Everything you might want to know about working with JWTs.

What is a JWT?+

A JSON Web Token is a compact, URL-safe way of carrying claims between two parties. It has three parts — a header, a payload and a signature — each Base64URL-encoded and joined with dots.

Is decoding the same as verifying?+

No. Decoding just reads the Base64URL data, which anyone can do — a JWT is not encrypted. Verifying checks the signature against a secret or public key to confirm the token wasn't tampered with.

Is my token or secret sent anywhere?+

Never. All decoding, verification and signing happen entirely in your browser using JavaScript and the built-in Web Crypto API. No token, secret or key is transmitted.

Which algorithms are supported?+

For verifying and signing: HMAC (HS256/384/512) with a shared secret, RSA (RS256/384/512), RSA-PSS (PS256/384/512) and ECDSA (ES256/384/512) with PEM keys. Asymmetric signing needs a private key; verifying needs the matching public key.

What do exp, iat and nbf mean?+

These are registered time claims. "iat" is when the token was issued, "exp" is when it expires, and "nbf" marks the earliest time it may be used. They are stored as Unix timestamps in seconds.