T

Text Machine

Powerful text tools, in your browser

JWT Decoder

Decode any JSON Web Token to inspect its header, payload, and claims in a readable form — and optionally verify an HMAC (HS256/384/512) signature. Everything stays in your browser.

Encoded token

How to use JWT Decoder

  1. 1

    Paste your token

    Paste an encoded JSON Web Token into the input field. The decoder splits it into header, payload, and signature automatically.

  2. 2

    Read the claims

    Inspect the decoded header and payload as formatted JSON, and review registered claims like expiry and issued-at shown as readable dates.

  3. 3

    Verify the signature

    For HMAC tokens, enter the signing secret to confirm the signature is valid and the token has not been tampered with.

  4. 4

    Copy what you need

    Copy the formatted header or payload JSON to your clipboard to use in tests, documentation, or debugging.

Frequently asked questions

What is a JSON Web Token (JWT)?
A JSON Web Token is a compact, URL-safe way to represent claims between two parties. It has three Base64URL-encoded parts — a header, a payload, and a signature — separated by dots, and is widely used for authentication and authorization in web APIs.
Does decoding a JWT reveal the password or secret?
No. The header and payload are only Base64URL-encoded, not encrypted, so anyone can read them — that is why you should never store sensitive secrets inside a token. The signing secret itself is never part of the token and cannot be recovered by decoding it.
How does signature verification work here?
For HMAC algorithms (HS256, HS384, HS512), the tool recomputes the signature from the header, payload, and the secret you provide using your browser's built-in Web Crypto API, then compares it to the token's signature. Asymmetric algorithms such as RS256 and ES256 require public keys and are decoded but not verified.
What do the exp and iat claims mean?
exp (expiration time) and iat (issued at) are registered claims stored as Unix timestamps in seconds. This decoder converts them to readable dates and shows whether the token is currently active, not yet valid, or expired based on your device's clock.
Is my token sent to a server?
No. Decoding and signature verification run entirely in your browser. Your token and secret are never uploaded, logged, or stored, so even production tokens stay completely private.

Related tools

Keep going with these handy tools

URL Encoder / Decoder

Base64 Encode / Decode

HTML to Text Converter

JSON Formatter

Regex Tester

CSS Gradient Generator