Skip to main content

JWT Decoder

Decode and verify JSON Web Tokens. Inspect headers, payloads, and registered claims, and check signatures with HMAC, RSA, RSA-PSS, or ECDSA keys.

Decoded entirely in your browser. Tokens and keys never leave your device.

Encoded

Paste the JWT — three base64url segments separated by .

Decode and verify JSON Web Tokens locally — no token leaves your browser.

Paste your own or pick an example below.

Paste a JWT to decode it.

About JWT

A JSON Web Token has three base64url-encoded segments separated by dots: header (algorithm and type), payload (claims), and signature. Decoding only requires base64url + JSON; verification additionally checks the signature with the issuer's secret or public key.

Security notes

  • alg: none means the token is unsigned. Never trust it for authentication.
  • Watch for the classic RS256 → HS256 confusion attack: an attacker can swap the algorithm and sign with the public key as a shared HMAC secret. Always pin the expected algorithm server-side.
  • Header alg is not authoritative — your verifier must enforce the algorithm it expects, not the algorithm the token claims.