About the JWT Decoder & Encoder
A browser-based tool for decoding, verifying, and signing JSON Web Tokens — built for developers.
What it is
The JWT Decoder & Encoder gives you instant visibility into any JSON Web Token the moment you paste it in. It splits the token into its three segments — header, payload, and signature — and displays the decoded claims as clean, syntax-highlighted JSON, so you can read what's inside without writing a single line of code.
Everything runs entirely in your browser using the Web Crypto API. Your tokens and secrets are never sent to a server or stored anywhere. Close the tab and they're gone. This makes it safe to inspect tokens from real authentication flows, API responses, and identity providers without risking credential exposure.
Key features
Decode header, payload & signature
Splits any JWT into its three parts and displays the header and payload as readable, indented JSON with full syntax highlighting.
Expiry check
Reads the exp and iat claims and instantly shows whether the token is still valid, expired, or has no expiry — with a time-remaining indicator.
Signature verification
Verifies HMAC signatures (HS256, HS384, HS512) against your secret using the Web Crypto API — entirely client-side, nothing transmitted.
Encode & sign
Build a custom header and payload, choose your algorithm, enter a secret, and generate a fully signed JWT for testing and development.
Who it's for
Backend developers
Inspect auth tokens from OAuth flows, API gateways, and microservice calls — quickly verify claims, scopes, and expiry without opening a debugger.
Frontend engineers
Decode access tokens from login responses to understand what user data is available and diagnose mismatches between token claims and UI behaviour.
Security & platform teams
Verify token signatures, audit expiry policies, and confirm algorithm choices during security reviews or incident investigations.
QA & test engineers
Encode custom tokens with specific claims — expired tokens, scoped permissions, edge-case payloads — to drive automated test suites without a live auth server.
Completely free
No account, no rate limit, no premium tier. Decode a short access token or a complex OIDC ID token — both work instantly. If you find it useful, sharing it with a colleague debugging an auth issue is all we ask.