Frequently Asked Questions

Simply paste your JWT into the box and the tool instantly splits it into its header, payload, and signature and displays the decoded claims as readable JSON — no button refresh needed.

Yes, it's completely free with no sign-up, downloads, or limits. Decode and encode as many tokens as you need, as often as you like.

Yes. You can verify a JWT's HMAC signature against a secret (for HS256, HS384, or HS512) to confirm the token hasn't been tampered with. Verification uses the browser's Web Crypto API entirely client-side.

Yes. The tool reads the token's expiry (exp) and issued-at (iat) claims and tells you at a glance whether the token is still valid or has expired, including how much time remains or how long ago it expired.

Yes. Switch to the Encode tab, build a header and payload, provide a secret, and the tool will sign a valid JWT for testing using the Web Crypto API in your browser.

The tool supports HMAC algorithms HS256, HS384, and HS512 for both signing and verification. Decoding works with any algorithm since it doesn't require the secret — you can decode an RS256 or ES256 token and inspect its claims without a key.

No. Everything is decoded, verified, and signed entirely in your browser using the Web Crypto API. Your tokens and secrets are never stored or sent to a server, keeping sensitive credentials private.

Because all processing happens locally in your browser and nothing is transmitted, it's far safer than tools that send tokens to a server. Still, treat production secrets with care and avoid sharing them unnecessarily.

Yes, the tool is fully responsive and works on smartphones, tablets, and desktops without any installation.

Decoding simply reads and displays a token's contents — anyone can do this with any JWT, no secret needed. Verifying checks the signature with a secret or key to confirm the token is authentic and hasn't been tampered with.