← Tools
JWT Decoder & Verifier
Decode a JSON Web Token's header and claims, read its expiry and timing in plain language, and verify an HS256/384/512 signature with a pasted secret. Runs entirely in your browser.
Decoding and signature checks run locally. The token and secret never leave your browser.
Anatomy of a JWT
The header and payload are only base64url-encoded, not encrypted, so anyone can read them. The signature is computed over the header and payload joined by a dot, and is what a verifier checks.