JWT Decoder & Verifier
Local & private — decode header/payload and optionally verify signature.
Pro Signature verification (optional)
Supported: HS256 (secret), RS256 (RSA), PS256 (RSA-PSS). Others will decode but not verify here.
About this tool
This decoder runs entirely in your browser. It parses JWTs (Base64URL JSON header and payload) and can verify signatures for HS256 with a secret or RS256/PS256 with a public key (PEM or JWK) using WebCrypto. It also highlights time-based claims like exp, nbf and iat.
Security note: Never paste production secrets; verification is informational and not a replacement for server-side checks.
Do you upload my JWTs or keys?
No. Decoding and verification run entirely in your browser via WebCrypto. Tokens/keys are not sent anywhere or stored on our servers.
Which algorithms can be verified?
HS256 (HMAC secret) and RS256/PS256 (RSA / RSA-PSS with a public key). Others decode but aren’t verified here.
How do I verify HS256?
Enable verification → choose HMAC Secret → paste the signing secret → Verify.
How do I verify RS256 or PS256?
Enable verification → choose Public Key PEM (SPKI) or Public JWK (kty=RSA with n and e) → paste the key → Verify.
Do you validate exp, nbf and iat?
Yes — claim checks are shown against your current time. Treat them as informational; always enforce validation on your server.
Is alg: none supported?
We can decode such tokens, but there’s no signature to verify. Avoid using unsigned JWTs in production.
Can I fetch keys from a JWKS URL?
No — for privacy, this tool doesn’t fetch keys over the network. Paste a public JWK or PEM instead to verify locally.
Last updated: October 20, 2025