JWT Decoder
Decode, verify, and sign JSON Web Tokens locally in your browser — secrets never leave your device.
Related Tools
0 comments
How it works
A JWT is three base64url-encoded segments separated by dots: header, payload, signature. The header and payload are JSON; decoding is a simple base64url round-trip parsed as JSON. The signature is computed over the first two segments using the algorithm named in the header (HMAC for HS*, RSA for RS*/PS*, ECDSA for ES*). This tool uses your browser's built-in Web Crypto API via the jose library to verify and sign — your secrets and private keys never leave your device.
segments = token.split(".") // [header, payload, signature]
header = JSON.parse(atob(segments[0]))
payload = JSON.parse(atob(segments[1]))
Common use cases
- Debugging an API auth issue by inspecting the claims and expiry of a token your client received.
- Signing a test token against staging credentials without piping a secret through a third-party site.
- Verifying a token against a service's public key during a pull-request review.
Frequently asked questions
Is it safe to paste my production JWT here?
Safer than alternatives, but apply judgment. Decoding happens entirely in your browser — nothing is sent to a server, and the source is on GitHub. However, any in-browser JS could in principle exfiltrate data; verify the code if you handle highly sensitive tokens.
How is signature verification performed?
Via the browser's Web Crypto SubtleCrypto.verify (and .sign for encoding) routed through the jose library. Keys are imported per algorithm: secret strings for HMAC, PEM or JWK for RSA / ECDSA. No remote endpoints are called.
Which algorithms are supported?
HS256/384/512, RS256/384/512, ES256/384, and PS256/384/512. These cover effectively every JWT issued by mainstream identity providers (Auth0, Okta, Cognito, Firebase, Keycloak).
What happens to the secret or key I paste?
It stays in your browser's memory only — never written to localStorage, never sent over the network. Closing the tab discards it.