Case Converter
JWT Decoder
Decode a JSON Web Token to read its header, payload and claims, verify the signature with a secret or public key, or generate a freshly signed token. HS, RS, ES and PS algorithms, all computed in your browser with the Web Crypto API. Your keys and tokens never leave your device. No sign-up, free.
Paste a token, or load an example, to see its decoded header, payload and claims.
How to use the JWT tool
Paste or load a token
Paste a JWT into the encoded box, or load a ready example for HS256, RS256, ES256 or PS256 to see how it works.
Read the decoded token
The header, payload and claims are decoded and pretty-printed, with expiry and issued-at times made human-readable.
Verify or generate
Paste the secret or public key to verify the signature, or switch to Encode to sign your own token with any supported algorithm.
JWT questions, answered
Are my token and keys sent to a server?
No. Decoding, verifying and signing all run in your browser with the built-in Web Crypto API. Your token, secrets and private keys are never uploaded, logged or stored, which matters because tokens and keys are sensitive.
How does signature verification work?
Paste the secret for an HMAC token (HS256/384/512) or the public key in PEM format for an RSA or elliptic-curve token (RS, ES or PS). The tool recomputes the signature and tells you whether it is valid. Decoding a token never proves it is authentic; only verification does.
Which algorithms are supported?
HS256, HS384, HS512, RS256, RS384, RS512, ES256, ES384, ES512, PS256, PS384 and PS512, for both verifying and signing. The example buttons generate a working token and matching key for each family.
Can I generate and sign a new token?
Yes. Switch to Encode, choose an algorithm, edit the payload, and provide a secret (HMAC) or generate a key pair (RSA or EC) with one click. The tool signs the token in your browser and shows the public key you can share for verification.
Is a JWT encrypted?
No. A standard JWT is Base64URL-encoded, not encrypted, so anyone with the token can read its payload, exactly as this tool does. The signature only proves the token was not altered. Never put a secret you would not want revealed into a payload.
What do exp, iat and nbf mean?
They are standard time claims in seconds since 1970: exp is when the token expires, iat is when it was issued, and nbf is the earliest time it is valid. The tool shows them as readable dates with a relative time and an active or expired badge.