JWT Decoder & Debugger
Decode and inspect a JSON Web Token's header, payload and claims — and verify HMAC signatures, 100% in your browser.
About JWT Decoder & Debugger
Paste a JSON Web Token and its header and payload are decoded instantly into readable JSON. Standard claims (iss, sub, aud, exp, nbf, iat, jti) are explained, and time claims are shown as human-readable dates with an at-a-glance “Not expired / Expired” status.
Optionally verify the signature: enter the secret and HS256, HS384 and HS512 tokens are checked locally with the Web Crypto API. Everything happens in your browser — your token and secret are never sent anywhere — but as a rule you shouldn't paste production secrets into any online tool.
Decode a token's payload
eyJhbGciOiJIUzI1Ni… (header.payload.signature)
{ "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }Enter the secret to verify an HS256/384/512 signature.
Frequently asked questions
Is my token sent to a server?
No. Decoding and signature verification happen entirely in your browser, so your token and secret never leave your device.
Can it verify the signature?
Yes, for HMAC algorithms (HS256, HS384, HS512): enter the secret and the token is verified locally with the Web Crypto API. RS/ES (public-key) verification isn't supported.
What do the claims mean?
It labels the registered claims — iss (issuer), sub (subject), aud (audience), exp (expiry), nbf (not before), iat (issued at) and jti (JWT ID) — and renders the time-based ones as dates.
Why does it say a token is expired?
If the exp claim is in the past relative to your current time, the token is shown as expired; nbf in the future shows as not yet valid. Decoding still works regardless.