Skip to content

JWT Decoder

Decode + sign + verify HS256/384/512 in browser.

Share
No expiry setHS256

Header

Algorithm + token type

"alg": "HS256"
"typ": "JWT"

Payload

Claims (data)

"sub"(Subject): "1234567890"
"name"(Name): "John Doe"
"iat"(Issued at): 1516239022 // 2018-01-18 01:30:22 UTC (3084d ago)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Decode + verify + sign all run in your browser via Web Crypto.
3
Algorithms (verify)
Yes
Sign + verify
Unlimited
Free uses per day
Browser
Runs in

What is the JWT Decoder?

A JWT decoder splits a JSON Web Token into header, payload, and signature, decodes the Base64URL segments, parses the JSON, validates expiration claims (exp, iat, nbf), and shows you everything in a structured view. This one also signs new JWTs and verifies HS256/HS384/HS512 signatures -all in your browser. Your token and secret never leave the page.

Most online JWT debuggers run on a server. You paste your token, they parse it, and you have to trust them not to log it. We use Web Crypto subtle.sign for HMAC operations and atob for Base64URL -all local. Same UX, no trust required.

How it works

Step 1
Paste a JWT
Three Base64URL segments separated by dots. Decoder splits and parses each.
Step 2
Inspect claims
Header + payload as formatted JSON. Known claims (iss, sub, exp, iat) get human labels.
Step 3
Verify or sign
HS256/384/512 verification with your secret. Sign new tokens with custom payload.

Features

Color-coded segments
Header, payload, signature each in its own color. Same color highlighting in the input field as you paste.
Expiration timeline
Visual timeline showing iat, nbf, exp markers + current time. Status badge: valid / expired / not-yet-valid.
Claim labels
iss → Issuer, sub → Subject, exp → Expiration time. 30+ known claim names get human labels and time-claim formatting.
HMAC verify
HS256, HS384, HS512 verification via Web Crypto. Type your secret, get instant valid/invalid result.
JWT signing
Sign mode: paste payload, set secret, pick HS algorithm, get a fresh JWT. Useful for testing API auth flows.
Anti-pattern warnings
Flags 'none' algorithm (security flaw), expired tokens, missing exp claim, weak HS secrets.
Time claim humanizer
Unix timestamp → readable date + relative time (e.g. '2h from now', '3d ago'). Less brain math.
Browser only
Token, secret, payload all stay client-side. Web Crypto + atob run locally. Zero network calls.

Why this decoder

Browser-only verify

jwt.io is great but you're sending tokens to their server. Our HMAC verify runs locally via Web Crypto. Tokens never leave your laptop.

Sign new tokens

Most decoders only decode. We let you sign. Useful when testing API auth flows or building OIDC test fixtures.

Time claim helpers

Unix timestamps in JWTs are a usability nightmare. We render them as human dates with relative-time labels.

Anti-pattern warnings

Flags weak signing algorithms, missing claims, expired tokens. Catches mistakes before they hit production.

Who uses it

API devs
Debugging auth header tokens, validating expiration, checking claim contents.
Security pros
Auditing signed payloads, testing for weak secrets, verifying signature implementations.
OIDC integrators
Inspecting access_token / id_token from Okta, Auth0, Cognito, Keycloak flows.
Students
Learning what claims are, why exp matters, how HMAC signatures work.

Real use cases

  • Your API request is rejecting a JWT and you suspect it's expired. Paste the token, see the exp timestamp + relative time. Yep, expired 3 hours ago. Refresh and retry.
  • An Okta access_token shows up in your logs with claims you don't recognize. Decode it, see iss, aud, scope, sub. Match to your application config.
  • You need to test your API's auth middleware locally. Sign a custom JWT with HS256 + your secret + a synthetic payload. Send it as Authorization: Bearer ... -your middleware accepts it.
  • Production is leaking auth tokens in error logs. Paste a leaked token, decode the payload, identify which user / scope is affected. Trigger a forced re-auth.
  • A frontend dev asks why their JWT verification fails. Decode their token, check the alg in header. They signed HS256 but server expects HS384. Mismatch found.
  • You're explaining JWTs in a code review. Open the decoder, paste an example token, point at header.alg = HS256, payload.exp expiration, signature segment. Click Sign mode. Perfect demo.

Compared with other tools

FeatureMolixajwt.iojwt-decoder.ioDenCode
DecodeYesYesYesYes
HS256/384/512 verifyYes (local)Yes (server)YesYes
JWT signingYesYesNoYes
Time claim humanizerYesPartialNoNo
Anti-pattern warningsYesNoNoNo
Free, no signupYesYesYesYes
Browser-only verifyYesServer-sideServer-sideYes

Frequently asked questions

Is the JWT decoder free?

Yes. Unlimited use, no signup, browser-only. jwt.io is the de-facto standard but ships HS256/RS256/ES256 verification only when you trust them with your tokens; we run all the math locally.

What's a JWT?

JSON Web Token. Three Base64URL-encoded segments joined by dots: header.payload.signature. Used for stateless authentication in APIs and OIDC flows. The signature lets the server trust the token without storing session state.

Is my token sent anywhere?

No. Decoding runs in your browser via atob(). Verification (HS256) runs via Web Crypto subtle.sign. Even your secret never leaves the page. Compare with online debuggers that send your token to their server for parsing.

Which algorithms can I verify?

HS256, HS384, HS512 -the HMAC-based algorithms. Web Crypto handles those natively. For RS256/ES256 (RSA / ECDSA), you need a public key in JWK or PEM format and a few extra steps; we plan to add those.

How do I check if my token is expired?

Decoder shows a status badge: valid, expired, not-yet-valid (nbf in future), or no-expiry. The exp claim is interpreted as Unix seconds and compared to your local clock.

What's the difference between 'iat' and 'exp'?

iat = issued at (when the token was created). exp = expiration (when it stops being valid). Standard rotation: server creates token at iat, sets exp = iat + 3600 (1 hour), client refreshes before exp.

What's 'nbf'?

Not before. The token is invalid until this timestamp. Used for delayed-activation tokens. Less common than exp/iat. Always check nbf if your token includes it.

Can I sign my own JWT?

Yes. Switch to Sign mode, paste header (or use defaults), paste payload, set secret. We compute HS256/HS384/HS512 signature via Web Crypto and emit the full token. Useful for testing API auth flows locally.

Why does my JWT verify mismatch?

Three usual causes. (1) Wrong secret -the secret used to sign must match the one used to verify. (2) Token tampered with -even one byte change invalidates the signature. (3) Algorithm mismatch -token signed with HS256 won't verify with HS384.

Is JWT secure?

JWT itself is just a format. Security depends on (a) signing algorithm strength -HS256 is fine if the secret is strong; (b) secret strength -32+ random bytes for HS-family; (c) implementation -never accept the 'none' algorithm, always validate the signature server-side, never trust unverified payloads.

Decode and verify a JWT

Decode, verify, sign. Browser-only. Free unlimited.

Open the JWT decoder
Built and reviewed bySaqib Zahoor, WeboTech Studio
Last updated:

The JWT Decoder page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.