Does this verify the signature?

Yes — enter your HMAC secret or RSA/ECDSA public key in the Verify section. For HS* algorithms the secret is a plain string; for RS*/ES* provide a PEM public key.

Is my token sent to a server?

The browser-side decoder never makes a network call. The signature-verification endpoint receives your token and key only during the verify request; neither is logged or stored.

encoding

JWT Decoder

Decode and verify JSON Web Tokens — header, payload, claims, and signature.

JWT Decoder

Decode and verify JSON Web Tokens. Signature verification runs in your browser — your secret never leaves.

Encoded

Valid structure

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Issued at: 1/18/2018, 1:30:22 AM
Subject: 1234567890

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Verify Signature

Algorithm

Secret or public key (HS*: plain text, RS*/ES*: PEM)

quickhelp.dev — more free developer toolsBrowse all →

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims. It has three base64url-encoded parts separated by dots: a header (algorithm + token type), a payload (claims), and a signature (verification). This tool decodes the header and payload, and can optionally verify the signature using your secret or public key.

Is this secure?

Signature verification uses your browser's Web Crypto API — your secret or private key is sent to our server only for the verification call and is never logged or stored. The decoded header and payload are computed entirely in your browser, no server involved.

What is a JWT Decoder?

A JSON Web Token (JWT) is a compact, URL-safe way to represent claims. It has three base64url-encoded parts: header, payload, and signature. This tool decodes the header and payload and can optionally verify the signature.

How to decode a JWT

Paste your token: Copy your JWT string (starts with 'eyJ') and paste it into the input field.
Inspect claims: The decoded header and payload appear instantly — check exp, sub, iss, and any custom claims.
Verify signature: Enter your secret or public key and click Verify to confirm the token hasn't been tampered with.

Frequently asked questions

Does this verify the signature?: Yes — enter your HMAC secret or RSA/ECDSA public key in the Verify section. For HS* algorithms the secret is a plain string; for RS*/ES* provide a PEM public key.
Is my token sent to a server?: The browser-side decoder never makes a network call. The signature-verification endpoint receives your token and key only during the verify request; neither is logged or stored.

JWT Decoder

What is a JWT?

Is this secure?

What is a JWT Decoder?

How to decode a JWT

Frequently asked questions

Related tools