Paste a JSON Web Token to decode its header and payload, pretty-print the claims, check expiry, optionally verify the signature (HMAC or RSA/EC), and confirm each segment is valid base64url — all locally in your browser.
Interactive Client Prototype Sandbox
{
"alg": "HS256",
"typ": "JWT"
}{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 1900000000
}How to use the JWT Decoder & Inspector
Step-by-Step Guide
Paste a JWT to decode its header and payload, with humanized issued/expiry times and a base64url-validity badge on each of the three parts. To check the signature, expand 'Verify signature (optional)': for HS* algorithms paste the shared secret (tick the box if it is base64-encoded); for RS*/PS*/ES* paste the issuer's public key as PEM or JWK, then press Verify to get a Valid or Invalid result. A token with alg 'none' has no signature to verify. Verification runs entirely in your browser and is only as trustworthy as the secret or key you supply.
Who it's for
Web and API developers, QA engineers, and anyone debugging authentication.
Core Features
- Decodes and pretty-prints the JWT header and payload JSON.
- Shows the algorithm and type, humanizes iat / nbf / exp, and flags expiry.
- Optional signature verification — HMAC secret or RSA/EC public key (PEM or JWK), via Web Crypto.
- Per-segment base64url validity badges; 100% offline (no network, no JWKS fetch).
🛡️ No tracking — your inputs, keys, and details never leave this client sandbox.