Free JWT decoder and verifier
Paste a JSON Web Token to read its header and payload, then check the signature with a secret or public key. The token and the key are decoded on your device with the Web Crypto API. A JWT often is the credential, so this one never crosses the network.
Copied to clipboard
How the JWT decoder works
Paste your token
The token is split into its three parts and the header and payload are base64url-decoded on your device as you type.
Read the claims
Registered claims are named, and the expiry and issued-at times are shown as readable dates with a valid or expired marker.
Verify the signature
Enter the secret or public key and the browser's Web Crypto API checks the signature. The secret never leaves the page.
Private by design: nothing leaves your browser
A JSON Web Token is frequently the thing that authenticates a request, so pasting one into a website that posts it to a server hands over a live credential. This decoder was built so that never happens:
100% client-side
Decoding is plain JavaScript and signature checks use crypto.subtle.verify, your browser's own cryptography. No network request carries the token or the key.
Secret stays on the page
The shared secret or private-side material is never needed here. You verify with the HMAC secret or the public key, and even that is used only in memory and then discarded on reload.
Standard crypto only
Verification uses the audited Web Crypto primitives for HMAC, RSA, and ECDSA, so the result matches any conforming library on your backend.
Decoding is not verifying
- The payload is readable by anyone holding the token, because it is encoded, not encrypted. Keep secrets out of it.
- A decoded token tells you what it claims. Only a verified signature tells you the claims are genuine.
- Reject a token whose signature does not verify, whose
exphas passed, or whosealgisnone.
Built for developers and security-conscious teams
Anyone debugging an auth flow who would rather not paste a live token into a random website. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.
Backend developers
Inspect the claims your API is issuing, confirm an expiry is set, and check a token signs with the key you expect before shipping.
Security & IT teams
Triage a suspicious token during an incident without sending it anywhere, and prove to a colleague that a payload was tampered with.
API integrators
Read what a third-party token contains, see which scopes it grants, and work out why a request is being rejected.
Building something that handles sensitive data?
BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.
More free privacy tools
Browse all privacy toolsThese tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.