JWT Decoder & Validator
Decode JWT headers and payloads, verify HMAC signatures, and sign new tokens β all in your browser without sending data anywhere.
β Free Β· No signup Β· Works in browser Β· 100% private
β
β
Why use this tool
Complete JWT Toolkit in Your Browser
π
Instant Decoding
Paste a JWT and instantly see the decoded header and payload β auto-decodes as you type.
β°
Expiry Detection
Automatically checks the exp claim and shows whether the token is valid, expired, or has no expiry.
βοΈ
Signature Validation
Verify HS256 HMAC signatures using the browser's SubtleCrypto API β no external library needed.
βοΈ
JWT Signing
Create signed HS256 JWT tokens from a JSON payload and secret. Color-coded parts for clarity.
π
100% Private
Your tokens and secrets never leave the browser. All operations use built-in Web Crypto APIs.
π
Free, No Login
No account required. Use all three tabs β decode, validate, and encode β completely free.
How it works
Decode or Validate a JWT in 3 Steps
1
Choose a tab: Decode, Validate, or Encode
Select the operation you need from the tab bar at the top of the tool.
2
Paste your JWT token (and secret if validating)
For decoding, just paste the token. For validation, also enter the secret key. For encoding, paste a JSON payload.
3
Review the result
Decoded view shows header + payload + expiry status. Validate shows VALID or INVALID. Encode shows a color-coded signed token.
FAQ
Frequently Asked Questions
Is decoding a JWT safe to do online?
Yes, for decoding. JWT headers and payloads are Base64-encoded but not encrypted β anyone with the token can decode them. This tool decodes entirely in your browser without sending the token to any server. Avoid pasting tokens that contain sensitive user data in public environments.
What hashing algorithms does the validator support?
The validator currently supports HMAC-SHA256 (HS256) signature verification using the browser's built-in SubtleCrypto API. RS256 and other asymmetric algorithms require public key infrastructure and are not supported in this browser-only tool.
What is the difference between decoding and validating a JWT?
Decoding reads the header and payload content β anyone can do this without the secret key. Validation verifies the signature using the secret key to confirm the token was not tampered with. Always validate tokens on your server before trusting their claims.
Can I sign (encode) a JWT with this tool?
Yes! The Encode tab lets you enter a JSON payload and a secret key, then generates a valid HS256-signed JWT token. The result is color-coded: red = header, purple = payload, blue = signature. Useful for testing APIs and understanding JWT structure.
How do I check if a JWT has expired?
In the Decode tab, paste your JWT and the tool automatically checks the
exp (expiration) claim. It displays whether the token is expired, still valid, or has no expiry set, along with the exact expiration date and time converted from Unix timestamp.Related tools