Developer Tools
JWT Decoder & Debugger
Decode any JSON Web Token, read its claims and expiry in plain English, and verify the signature with a secret or public key. HS, RS, PS and ES algorithms supported. Everything runs in your browser — your token never leaves the page.
Understand exactly what a token contains
A JWT is three Base64URL segments — header, payload and signature — separated by dots. This
debugger splits them apart, pretty-prints the JSON, and translates the time-based claims
(iat, exp, nbf) into readable dates with a clear
valid / expired status, so you can see at a glance why authentication is or is not working.
Verify, don’t just trust
Decoding proves nothing about authenticity — the payload is only encoded. Paste your HMAC secret or a PEM public key and the tool recomputes the signature with the Web Crypto API to confirm the token is genuine and untampered.
- HS256 / HS384 / HS512 — verified with a shared secret.
- RS & PS 256/384/512 — verified with an RSA public key.
- ES256 / ES384 / ES512 — verified with an EC public key.
- Expiry & not-before — checked against your current clock.
Frequently asked questions
Is it safe to paste a JWT here?
Yes. Decoding and signature verification run entirely in your browser using the Web Crypto API. Your token, secret and keys are never sent to a server. Still, treat production tokens carefully and avoid pasting long-lived secrets on shared machines.
Which signature algorithms can be verified?
HMAC (HS256, HS384, HS512) using a shared secret, and RSA/ECDSA (RS256/384/512, PS256/384/512, ES256/384/512) using a PEM public key. The algorithm is read from the token header automatically.
Why does my token show as expired?
The tool compares the exp (expiration) claim to your current clock. If exp is in the past, the token is expired. It also checks nbf (not before) and shows iat (issued at) so you can see the full validity window.
Can a JWT be decoded without the secret?
Yes — that is the point of this debugger. The header and payload are Base64URL-encoded, not encrypted, so anyone can read them. The secret or key is only needed to verify that the signature is authentic and the token has not been tampered with.