Does this tool verify the signature?

For HMAC tokens (HS256, HS384, HS512), paste the secret and the tool checks the signature right on your device. For RS and ES tokens (RS256/384/512, ES256/384/512), paste the issuer's PEM public key and it verifies the same way. Either way, the secret or key never leaves your device.

Is it safe to paste a real production token?

Decoding happens on your device — the token is never sent to a server. That said, a bearer token grants whoever holds it the user's access, so the bigger risk is anyone watching your screen, not the tool itself.

What does it mean if the alg field says 'none'?

Some libraries used to accept unsigned tokens with alg=none, which is a known attack vector. A production API should reject these outright. Seeing 'none' on a token meant to authenticate users is a red flag worth fixing.

Why does the payload show numbers instead of dates for exp and iat?

JWTs store timestamps as seconds since 1970-01-01 UTC. The decoder converts them to a human-readable local date next to each claim so you can tell whether a token has expired without doing the math.

Can I decode a token that uses encryption (JWE)?

JWE tokens have five dot-separated parts and are encrypted, not just signed. This decoder reads JWS tokens (three parts: header.payload.signature). For JWE you need the decryption key, which by design has to stay on the receiving server.

JWT Decoder

Decode and inspect JWT tokens instantly

JWT Token

Algorithm: HS256Expires in 1300d 7hIssued At: Jan 18, 2018, 1:30:22 AMExpires At: Jan 1, 2030, 12:00:00 AM

Security AuditReview recommended

Token is signed with a real algorithm, not "none".
This token is valid for over a year. Long-lived tokens are risky if leaked — prefer short expiries with refresh.
Issuer ("iss") is set.
No "nbf" claim. It is optional, but setting it stops a token from being used before its start time.

Header

alg

HS256

typ

JWT

Payload

Registered claims

sub

1234567890Subject — the user or entity the token is about.

iat

1516239022Jan 18, 2018, 1:30:22 AMIssued at — when the token was created.

exp

1893456000Jan 1, 2030, 12:00:00 AMExpiration — the token is invalid after this time.

aud

freeonlinetools.ioAudience — who the token is intended for.

iss

auth.serviceIssuer — who created and signed this token.

Custom claims

name

John Doe

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Verify Signature

Enter the HMAC secret to check the signature. Your secret stays on your device and is never sent anywhere.

What is JWT Decoder?

Paste any JSON Web Token to see its decoded header, payload, and signature. Check token claims, verify expiration times, and debug authentication issues in seconds.

The decoder splits the token on dots, Base64URL-decodes the header and payload, and parses both as JSON. You see the signing algorithm (HS256, RS256, EdDSA, etc.), all reserved claims (iss, sub, aud, exp, iat, nbf, jti), and any custom claims your service added. Timestamp claims are converted from Unix epoch to your local timezone so you can spot an expired token at a glance.

How to use

Paste your JWT token into the input field — the three Base64-encoded sections will be automatically detected.
View the decoded header (algorithm, type) and payload (claims, expiration, issuer) side by side.
Copy individual decoded sections or the full parsed output.

When to use

Debugging a 401 response by checking whether the bearer token's exp has already passed.
Verifying that a token issued for staging carries the right aud and iss before the production rollout.
Reading the user_id or scopes a third-party SSO provider embedded in your access token.

Result

You're debugging a 401 error in your API. Paste the bearer token from the request header to check if the 'exp' claim has already passed or if the 'aud' claim matches your expected audience.

FAQ

Does this tool verify the signature?: For HMAC tokens (HS256, HS384, HS512), paste the secret and the tool checks the signature right on your device. For RS and ES tokens (RS256/384/512, ES256/384/512), paste the issuer's PEM public key and it verifies the same way. Either way, the secret or key never leaves your device.
Is it safe to paste a real production token?: Decoding happens on your device — the token is never sent to a server. That said, a bearer token grants whoever holds it the user's access, so the bigger risk is anyone watching your screen, not the tool itself.
What does it mean if the alg field says 'none'?: Some libraries used to accept unsigned tokens with alg=none, which is a known attack vector. A production API should reject these outright. Seeing 'none' on a token meant to authenticate users is a red flag worth fixing.
Why does the payload show numbers instead of dates for exp and iat?: JWTs store timestamps as seconds since 1970-01-01 UTC. The decoder converts them to a human-readable local date next to each claim so you can tell whether a token has expired without doing the math.
Can I decode a token that uses encryption (JWE)?: JWE tokens have five dot-separated parts and are encrypted, not just signed. This decoder reads JWS tokens (three parts: header.payload.signature). For JWE you need the decryption key, which by design has to stay on the receiving server.

JWT Decoder

What is JWT Decoder?

How to use

When to use

Result

FAQ

Related Tools

PGP Key Generator

Secure Notes

File Encryptor

SSL Certificate Decoder

Caesar Cipher Tool

Passphrase Generator

JWT Decoder