Free JWT decoder (local decode + optional HMAC verify)

Paste a standard JWS compact token (three Base64URL parts). Header and payload are decoded and formatted as JSON. Optional verification only supports symmetric HS256, HS384, and HS512 using Web Crypto — your secret never leaves this tab. RS256, ES256, EdDSA, and alg none are shown for inspection but cannot be fully verified here.

JWT (compact form)

Algorithm: HS256 · Type: JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Registered time claims

Issued at (iat): 2018-01-18T01:30:22.000Z (1516239022)

Optional HMAC signature check

Verification uses the UTF-8 bytes of the secret with the token’s declared algorithm. Clear the secret when you are done on shared machines.

Shared secret (UTF-8)

Run verify after entering a secret for HS256-family tokens.

Loading…

How to use this tool

1
Open JWT decoder
Use it for this task: JWT header and claims decode, UTC exp / nbf / iat, optional HS256 / HS384 / HS512 verify - no upload.
2
Paste the encoded value
Add the token or encoded string in the input box. The page decodes it locally in your browser.
3
Read and copy the decoded parts
Review the header, payload, claims, or decoded text, then copy the piece you need.

Quick facts

Runs offline?	Yes — after this page loads, decoding and HMAC use only your browser.
Is anything uploaded?	No. Safe Local Tools is static; tokens and secrets stay in this tab.
RS256 or JWKS?	Asymmetric algorithms need public keys or JWKS — not implemented here. Decode claims only.
Encrypted JWE?	Only JWS compact (signed) tokens with three segments are supported — not JWE.

Top use cases

JWT header and claims decode, UTC exp / nbf / iat, optional HS256 / HS384 / HS512 verify - no upload.
Runs offline?: Yes — after this page loads, decoding and HMAC use only your browser.
Is anything uploaded?: No. Safe Local Tools is static; tokens and secrets stay in this tab.
RS256 or JWKS?: Asymmetric algorithms need public keys or JWKS — not implemented here. Decode claims only.
Encrypted JWE?: Only JWS compact (signed) tokens with three segments are supported — not JWE.

FAQ

Can I trust the decoded payload?▾

Anyone can Base64-decode a JWT. Signature verification proves integrity for the right algorithm and key — when this page can perform it (HS256 family plus a secret you supply).

Why does verification say unsupported?▾

Many APIs issue RS256 tokens verified with the issuer’s public key. Importing JWKS and wiring every curve is out of scope for this lightweight decoder — use your framework or jwt.io-style tooling for full asymmetric checks.

Are secrets stored?▾

No server calls exist. Secrets live in page memory until you reload or navigate away.

Does this validate exp against the clock?▾

We display timestamps for information only. Your API must still enforce exp and nbf when authorizing requests.

Why is my paste invalid?▾

Some tools add a Bearer prefix or wrapping quotes. Trim to exactly header.payload.signature with ASCII dots. Preserve case in the Base64URL segments.

What about nested JWTs?▾

If a claim contains another JWT string, decode that inner token in a second pass — this field expects one compact JWS at the outer level.