JWT Decoder & Encoder

Decode and encode JSON Web Tokens (JWT) client-side. Parse claims, inspect signatures, and generate HMAC-signed examples without sending data to a server.

Browser-BasedResponsive UIPrivacy-First
Privacy: This tool runs fully offline in your browser. Your secret tokens are never sent to any server. No inputs are uploaded or stored.
Algorithm support:Decoder reads JWTs that use none, HS*, RS*, ES*, and PS* alg headers. Encoder/generate currently signs HS256, HS384, HS512, and none locally.

Paste Encoded Token

INFOEnter a valid JWT token to see the parsed output.

Header Algorithm & Token Type

{ /* Header claims will appear here */ }

Payload Data & Claims

{ /* Payload claims will appear here */ }

JWT Signature Verification Optional

Enter the secret used to sign the JWT below. HS tokens can be verified locally; RS, ES, and PS tokens need public-key verification.

HS256, HS384, and HS512 can be verified with a shared secret. RS, ES, and PS tokens need public-key verification.

No Token Loaded

How it works

Free JWT decoder and encoder with offline HMAC verification

Paste any encoded JWT to instantly decode the header, payload, registered claims, timestamps, and algorithm metadata — all running locally in your browser with zero server uploads. The decoder separates decoding from verification: decoding reads the Base64URL JSON, while verification checks the signature against a trusted secret or key. HS256, HS384, and HS512 signatures can be verified with a shared secret. RSA, ECDSA, and RSA-PSS tokens can be decoded but public-key verification is not yet available.

The encoder lets you edit the header, payload, and secret key, then generate a signed HS256, HS384, HS512, or unsigned none token for testing. A sample John Doe token loads on first use so the page is immediately useful. All signing, decoding, and verification happen client-side, making this tool safer for learning and debugging than server-based alternatives. Use generated tokens only for development — production authentication should be validated by your backend with strict issuer, audience, expiration, and signature checks.