How it works
Free JWT decoder and encoder with offline HMAC verification
Paste any encoded JWT to instantly decode the header, payload, registered claims, timestamps, and algorithm metadata — all running locally in your browser with zero server uploads. The decoder separates decoding from verification: decoding reads the Base64URL JSON, while verification checks the signature against a trusted secret or key. HS256, HS384, and HS512 signatures can be verified with a shared secret. RSA, ECDSA, and RSA-PSS tokens can be decoded but public-key verification is not yet available.
The encoder lets you edit the header, payload, and secret key, then generate a signed HS256, HS384, HS512, or unsigned none token for testing. A sample John Doe token loads on first use so the page is immediately useful. All signing, decoding, and verification happen client-side, making this tool safer for learning and debugging than server-based alternatives. Use generated tokens only for development — production authentication should be validated by your backend with strict issuer, audience, expiration, and signature checks.