JWT Decoder

Paste a JSON Web Token to decode its header and payload, inspect standard claims, and (optionally) verify the signature. Everything runs in your browser — your tokens never touch our server.

Paste JWT

Token (color-coded)

—

header.payload.signature

Verify signature (optional) alg: ?

Header

—

Payload

—

Standard claims

About JWT verification

HS256/HS384/HS512 — symmetric HMAC. Paste the shared secret as plain text. Anyone with the secret can forge tokens.

RS256/RS384/RS512 — RSA signature. Paste the public key in PEM format (-----BEGIN PUBLIC KEY-----). The public key only verifies; it cannot forge.

ES256/ES384 — ECDSA signature. Paste the EC public key in PEM format.

alg: none is a known exploit — if a server accepts this, unsigned tokens are trusted. Flagged automatically here.