JWT Decoder & Encoder

JWT decoder and encoder is a browser-based tool for debugging JSON Web Tokens. Paste a JWT to decode its Header and Payload, verify its signature, or switch to encode mode to build a new signed token. Everything runs locally — tokens and keys are never sent to a server.

JWT Structure at a Glance

A JWT is three Base64url-encoded segments separated by dots:

eyJhbGciOiJIUzI1NiJ9
.eyJ1c2VySWQiOiIxMjMiLCJleHAiOjE3MDAwMDAwMDB9
.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoded Header:

{ "alg": "HS256", "typ": "JWT" }

Decoded Payload:

{
  "userId": "123",
  "exp": 1700000000,
  "iss": "example.com",
  "iat": 1699993600
}

alg determines the signing algorithm. exp is the expiration Unix timestamp. iss is the issuer. iat is the issued-at time.

Signature Verification

After pasting a JWT, the tool reads alg from the Header and shows the appropriate key input:

• HS256/HS384/HS512 (HMAC): enter the shared secret
• RS256/RS384/RS512 (RSA): enter the PEM public key or private key
• ES256/ES384/ES512 (ECDSA): enter the PEM EC public key or private key

The verification result updates in real time — green for valid, red for invalid. No extra button needed.

Choosing an Algorithm

Encoding a New JWT

In encode mode: select an algorithm, edit the Payload JSON, enter the key or private key, and set an expiration such as 2h (2 hours), 30m (30 minutes), 1d (1 day), or 7d (7 days). The tool writes the exp timestamp automatically.

Why Signature Verification Fails

The most common causes: wrong key (a different secret than the one that signed the token), algorithm mismatch (Header says RS256 but you entered an HMAC secret), or the token has been tampered with. For asymmetric tokens, confirm you are using the correct public key — not the private key — for verification.