Is decoding a JWT the same as verifying it?
No. Decoding simply reads the Base64URL data, while verification checks the signature.
JWT decoder and signature verification
Decode header and payload, check exp, and verify signatures with an optional secret key. Everything runs locally in your browser.
Algorithm
-
Expiration
-
Signature
-
How to decode a JWT
Paste a JWT to decode header/payload and optionally verify the signature.
- Paste the JWT token into the input field.
- Add a secret key to validate HS256/384/512 signatures (optional).
- Review the decoded header, payload, and expiration status.
Example
Input
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJ1c2VyXzEyMyIsImV4cCI6MTcxMDAwMDAwMH0.dBjftJeZ4CVP-mB92K27uhbUJU1p1r_wW1gFWFOEjXk
Output
Header: {"alg":"HS256","typ":"JWT"}
Payload: {"sub":"user_123","exp":1710000000}The exp claim is a Unix timestamp in seconds.
JWT decoder FAQs
Which algorithms are supported?
Currently HS256/384/512 (HMAC). RSA and ECDSA tokens are not supported yet.
Does my token leave the browser?
No. Decoding and verification run locally in your browser.