Tool Cluster

Developer

JWT Decoder

Decode JWT header and payload locally, with optional HS256, HS384, and HS512 signature matching when you provide a secret.

Runs locallyNo uploadNo external API

Input

Output

Paste a JWT to decode its header and payload locally.

Verify signature

Optional · HMAC only

Signature not checked. Add a secret to check HS256, HS384, and HS512 signatures. Decode still works without it.
Local check only

Your token and secret are processed in this browser tab. They are not uploaded, sent to an external API, or saved by this tool. A signature match only means the token signature matches the secret you entered. It does not prove token trust, expiry status, access permission, or session use.

A matching signature is not the same as server acceptance. Issuer, audience, expiry, permissions, revocation, and server-side policy are not checked.

Paste a JWT to decode its header and payload locally.
Local-only note

JWTs can contain sensitive data. Decode locally here, and avoid pasting production secrets into shared devices.

Related tools

JSON Formatter/ValidatorDeveloperUnix Timestamp ConverterTimeBase64 Encode/DecodeEncodingURL Query ParserEncoding

How to use JWT

Decode the readable parts of a JSON Web Token so you can inspect claims, timestamps, token shape, and optional HMAC signature match without uploading it.

  1. Paste or type your input.
  2. Load the sample if you want a quick check.
  3. Run the action, review the result, then copy only what you need.

Examples

Payload claims

Input: eyJ...payload...signature

Output: Header JSON, payload JSON, and timestamp claims

Expiration claim

Input: {"exp":1719859200}

Output: exp: local time, UTC time, and ISO string

Malformed token

Input: not.a.jwt

Output: Clear segment or JSON parse error

Common use cases

Inspect auth logs

Decode a token from a local log, then convert related timestamps if needed.

Open related tool

Format decoded JSON

Copy payload JSON into the JSON Formatter for deeper inspection.

Open related tool

Limitations

Optional HMAC signature matching

Decode works without verification. Optional HMAC signature matching is available for HS256, HS384, and HS512 when you provide a secret.

Sensitive data

JWTs can contain private claims. Avoid pasting production secrets on shared devices.

FAQ

Can this JWT Decoder verify a signature?

It can locally check HS256, HS384, and HS512 HMAC signatures when you provide the secret. It does not support RSA/ECDSA/PS keys and does not check issuer, audience, expiry, permissions, or trust.

Can I decode JWT timestamps?

Yes. Numeric exp, iat, and nbf claims are shown as local time, UTC, and ISO.

Is my token uploaded?

No. Decoding happens in your browser.

Compare developer tools