Free JWT decoder and verifier

Paste a JSON Web Token to read its header and payload, then check the signature with a secret or public key. The token and the key are decoded on your device with the Web Crypto API. A JWT often is the credential, so this one never crosses the network.

Copied to clipboard

How the JWT decoder works

1

Paste your token

The token is split into its three parts and the header and payload are base64url-decoded on your device as you type.

2

Read the claims

Registered claims are named, and the expiry and issued-at times are shown as readable dates with a valid or expired marker.

3

Verify the signature

Enter the secret or public key and the browser's Web Crypto API checks the signature. The secret never leaves the page.

Private by design: nothing leaves your browser

A JSON Web Token is frequently the thing that authenticates a request, so pasting one into a website that posts it to a server hands over a live credential. This decoder was built so that never happens:

01

100% client-side

Decoding is plain JavaScript and signature checks use crypto.subtle.verify, your browser's own cryptography. No network request carries the token or the key.

02

Secret stays on the page

The shared secret or private-side material is never needed here. You verify with the HMAC secret or the public key, and even that is used only in memory and then discarded on reload.

03

Standard crypto only

Verification uses the audited Web Crypto primitives for HMAC, RSA, and ECDSA, so the result matches any conforming library on your backend.

Decoding is not verifying

  1. The payload is readable by anyone holding the token, because it is encoded, not encrypted. Keep secrets out of it.
  2. A decoded token tells you what it claims. Only a verified signature tells you the claims are genuine.
  3. Reject a token whose signature does not verify, whose exp has passed, or whose alg is none.

Built for developers and security-conscious teams

Anyone debugging an auth flow who would rather not paste a live token into a random website. BlockSurvey takes the same position on research data with zero-knowledge surveys, where responses are encrypted before they ever reach a server.

Backend developers

Inspect the claims your API is issuing, confirm an expiry is set, and check a token signs with the key you expect before shipping.

Security & IT teams

Triage a suspicious token during an incident without sending it anywhere, and prove to a colleague that a payload was tampered with.

API integrators

Read what a third-party token contains, see which scopes it grants, and work out why a request is being rejected.

Building something that handles sensitive data?

BlockSurvey runs on zero-knowledge surveys, so the responses you collect are never sold or mined. Responses are encrypted on the respondent's device, so the server stores nothing readable.

More free privacy tools

Browse all privacy tools

These tools run in your browser because that is how we build everything. The same idea, applied to research: privacy-first surveys with end-to-end encryption.

Frequently asked questions

Is this JWT decoder free?

Yes, completely free with no sign-up and no limit on how many tokens you decode.

Is my token sent to a server?

No. The token is decoded in your browser with plain JavaScript, and signature verification uses the browser's built-in Web Crypto API. The token, the secret, and any key you paste stay on your device. Nothing is sent to a server or written to a log. That matters here more than for most tools, because a JWT often is the credential itself.

Does decoding a JWT reveal anything secret?

The header and payload of a JWT are only base64url-encoded, not encrypted, so anyone who holds the token can read them. That is by design: the claims are meant to be read by the receiver. Never put a password, a card number, or anything else you would not want seen into a JWT payload. Only the signature depends on a secret.

What does verifying the signature actually prove?

It proves the token was issued by someone holding the signing key and has not been altered since. Decoding tells you what a token claims; verifying tells you whether to believe it. A decoded token with an invalid signature should be rejected, because anyone can edit the payload and re-encode it.

Which algorithms can this tool verify?

HS256, HS384, and HS512 with a shared secret, and RS256, RS384, RS512, PS256, PS384, PS512, ES256, and ES384 with a public key in PEM format. For the HMAC family you paste the secret; for the RSA and ECDSA families you paste the public key, never the private one.

Why does verification fail even though the token looks correct?

Usually the secret or key does not match the one that signed the token, or you pasted a public key for a token signed with HMAC (or the reverse). A wrong key produces a valid-looking token that still fails verification, which is exactly the point. Check that the algorithm in the header matches the key type you provided.

Is an expired token still shown?

Yes. The tool decodes and displays every token regardless of its expiry, and marks the expiration and not-before claims as valid or expired next to the human-readable time, so you can see why a token would be rejected.

Can I use this offline?

Yes. Once the page has loaded you can disconnect from the internet and keep decoding and verifying, because everything runs in your browser.

Do you store the token or secret I paste in?

No. Decoding and signature verification both run with the browser's Web Crypto API, and nothing you paste is sent to a server or logged. That matters more here than for most tools, since a JWT is often the credential itself.

How is this different from a paid JWT debugger?

Most JWT debuggers, paid or free, work the same way this one does under the hood. The difference is that this one makes no server request to decode or verify, so a token or signing secret pasted here never leaves your device, and there is no sign-up or rate limit.
Scripts are blocked. This site won’t work properly. If you’re using Brave, click the Shields icon and turn off Block scripts. Otherwise disable your ad blocker for this site.