Loading tool

Loading tools

JWT Decoder

Decode + sign + verify HS256/384/512 in browser.

JWT

No expiry setHS256

Header

Algorithm + token type

"alg": "HS256"

"typ": "JWT"

Payload

Claims (data)

"sub"(Subject): "1234567890"

"name"(Name): "John Doe"

"iat"(Issued at): 1516239022 // 2018-01-18 01:30:22 UTC (3041d ago)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decode + verify + sign all run in your browser via Web Crypto.

Algorithms (verify)

Yes

Sign + verify

Unlimited

Free uses per day

Browser

Runs in

What is the JWT Decoder?

A JWT decoder splits a JSON Web Token into header, payload, and signature, decodes the Base64URL segments, parses the JSON, validates expiration claims (exp, iat, nbf), and shows you everything in a structured view. This one also signs new JWTs and verifies HS256/HS384/HS512 signatures -all in your browser. Your token and secret never leave the page.

Most online JWT debuggers run on a server. You paste your token, they parse it, and you have to trust them not to log it. We use Web Crypto subtle.sign for HMAC operations and atob for Base64URL -all local. Same UX, no trust required.

How it works

Step 1

Paste a JWT

Three Base64URL segments separated by dots. Decoder splits and parses each.

Step 2

Inspect claims

Header + payload as formatted JSON. Known claims (iss, sub, exp, iat) get human labels.

Step 3

Verify or sign

HS256/384/512 verification with your secret. Sign new tokens with custom payload.

Features

Color-coded segments

Header, payload, signature each in its own color. Same color highlighting in the input field as you paste.

Expiration timeline

Visual timeline showing iat, nbf, exp markers + current time. Status badge: valid / expired / not-yet-valid.

Claim labels

iss → Issuer, sub → Subject, exp → Expiration time. 30+ known claim names get human labels and time-claim formatting.

HMAC verify

HS256, HS384, HS512 verification via Web Crypto. Type your secret, get instant valid/invalid result.

JWT signing

Sign mode: paste payload, set secret, pick HS algorithm, get a fresh JWT. Useful for testing API auth flows.

Anti-pattern warnings

Flags 'none' algorithm (security flaw), expired tokens, missing exp claim, weak HS secrets.

Time claim humanizer

Unix timestamp → readable date + relative time (e.g. '2h from now', '3d ago'). Less brain math.

Browser only

Token, secret, payload all stay client-side. Web Crypto + atob run locally. Zero network calls.

Why this decoder

Browser-only verify

jwt.io is great but you're sending tokens to their server. Our HMAC verify runs locally via Web Crypto. Tokens never leave your laptop.

Sign new tokens

Most decoders only decode. We let you sign. Useful when testing API auth flows or building OIDC test fixtures.

Time claim helpers

Unix timestamps in JWTs are a usability nightmare. We render them as human dates with relative-time labels.

Anti-pattern warnings

Flags weak signing algorithms, missing claims, expired tokens. Catches mistakes before they hit production.

Who uses it

API devs

Debugging auth header tokens, validating expiration, checking claim contents.

Security pros

Auditing signed payloads, testing for weak secrets, verifying signature implementations.

OIDC integrators

Inspecting access_token / id_token from Okta, Auth0, Cognito, Keycloak flows.

Students

Learning what claims are, why exp matters, how HMAC signatures work.

Real use cases

Your API request is rejecting a JWT and you suspect it's expired. Paste the token, see the exp timestamp + relative time. Yep, expired 3 hours ago. Refresh and retry.
An Okta access_token shows up in your logs with claims you don't recognize. Decode it, see iss, aud, scope, sub. Match to your application config.
You need to test your API's auth middleware locally. Sign a custom JWT with HS256 + your secret + a synthetic payload. Send it as Authorization: Bearer ... -your middleware accepts it.
Production is leaking auth tokens in error logs. Paste a leaked token, decode the payload, identify which user / scope is affected. Trigger a forced re-auth.
A frontend dev asks why their JWT verification fails. Decode their token, check the alg in header. They signed HS256 but server expects HS384. Mismatch found.
You're explaining JWTs in a code review. Open the decoder, paste an example token, point at header.alg = HS256, payload.exp expiration, signature segment. Click Sign mode. Perfect demo.

Compared with other tools

Feature	Molixa	jwt.io	jwt-decoder.io	DenCode
Decode	Yes	Yes	Yes	Yes
HS256/384/512 verify	Yes (local)	Yes (server)	Yes	Yes
JWT signing	Yes	Yes	No	Yes
Time claim humanizer	Yes	Partial	No	No
Anti-pattern warnings	Yes	No	No	No
Free, no signup	Yes	Yes	Yes	Yes
Browser-only verify	Yes	Server-side	Server-side	Yes

Frequently asked questions

Is the JWT decoder free?▾

Yes. Unlimited use, no signup, browser-only. jwt.io is the de-facto standard but ships HS256/RS256/ES256 verification only when you trust them with your tokens; we run all the math locally.

What's a JWT?▾

JSON Web Token. Three Base64URL-encoded segments joined by dots: header.payload.signature. Used for stateless authentication in APIs and OIDC flows. The signature lets the server trust the token without storing session state.

Is my token sent anywhere?▾

No. Decoding runs in your browser via atob(). Verification (HS256) runs via Web Crypto subtle.sign. Even your secret never leaves the page. Compare with online debuggers that send your token to their server for parsing.

Which algorithms can I verify?▾

HS256, HS384, HS512 -the HMAC-based algorithms. Web Crypto handles those natively. For RS256/ES256 (RSA / ECDSA), you need a public key in JWK or PEM format and a few extra steps; we plan to add those.

How do I check if my token is expired?▾

Decoder shows a status badge: valid, expired, not-yet-valid (nbf in future), or no-expiry. The exp claim is interpreted as Unix seconds and compared to your local clock.

What's the difference between 'iat' and 'exp'?▾

iat = issued at (when the token was created). exp = expiration (when it stops being valid). Standard rotation: server creates token at iat, sets exp = iat + 3600 (1 hour), client refreshes before exp.

What's 'nbf'?▾

Not before. The token is invalid until this timestamp. Used for delayed-activation tokens. Less common than exp/iat. Always check nbf if your token includes it.

Can I sign my own JWT?▾

Yes. Switch to Sign mode, paste header (or use defaults), paste payload, set secret. We compute HS256/HS384/HS512 signature via Web Crypto and emit the full token. Useful for testing API auth flows locally.

Why does my JWT verify mismatch?▾

Three usual causes. (1) Wrong secret -the secret used to sign must match the one used to verify. (2) Token tampered with -even one byte change invalidates the signature. (3) Algorithm mismatch -token signed with HS256 won't verify with HS384.

Is JWT secure?▾

JWT itself is just a format. Security depends on (a) signing algorithm strength -HS256 is fine if the secret is strong; (b) secret strength -32+ random bytes for HS-family; (c) implementation -never accept the 'none' algorithm, always validate the signature server-side, never trust unverified payloads.

Decode and verify a JWT

Decode, verify, sign. Browser-only. Free unlimited.

Open the JWT decoder

Built and reviewed bySaqib Zahoor, WeboTech Studio

Last updated: May 14, 2026

The JWT Decoder page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.

Loading tool

JWT Decoder

Decode + sign + verify HS256/384/512 in browser.

JWT

No expiry setHS256

Header

Algorithm + token type

"alg": "HS256"

"typ": "JWT"

Payload

Claims (data)

"sub"(Subject): "1234567890"

"name"(Name): "John Doe"

"iat"(Issued at): 1516239022 // 2018-01-18 01:30:22 UTC (3041d ago)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decode + verify + sign all run in your browser via Web Crypto.

Algorithms (verify)

Yes

Sign + verify

Unlimited

Free uses per day

Browser

Runs in

What is the JWT Decoder?

How it works

Step 1

Paste a JWT

Three Base64URL segments separated by dots. Decoder splits and parses each.

Step 2

Inspect claims

Header + payload as formatted JSON. Known claims (iss, sub, exp, iat) get human labels.

Step 3

Verify or sign

HS256/384/512 verification with your secret. Sign new tokens with custom payload.

Features

Color-coded segments

Header, payload, signature each in its own color. Same color highlighting in the input field as you paste.

Expiration timeline

Visual timeline showing iat, nbf, exp markers + current time. Status badge: valid / expired / not-yet-valid.

Claim labels

iss → Issuer, sub → Subject, exp → Expiration time. 30+ known claim names get human labels and time-claim formatting.

HMAC verify

HS256, HS384, HS512 verification via Web Crypto. Type your secret, get instant valid/invalid result.

JWT signing

Sign mode: paste payload, set secret, pick HS algorithm, get a fresh JWT. Useful for testing API auth flows.

Anti-pattern warnings

Flags 'none' algorithm (security flaw), expired tokens, missing exp claim, weak HS secrets.

Time claim humanizer

Unix timestamp → readable date + relative time (e.g. '2h from now', '3d ago'). Less brain math.

Browser only

Token, secret, payload all stay client-side. Web Crypto + atob run locally. Zero network calls.

Why this decoder

Browser-only verify

jwt.io is great but you're sending tokens to their server. Our HMAC verify runs locally via Web Crypto. Tokens never leave your laptop.

Sign new tokens

Most decoders only decode. We let you sign. Useful when testing API auth flows or building OIDC test fixtures.

Time claim helpers

Unix timestamps in JWTs are a usability nightmare. We render them as human dates with relative-time labels.

Anti-pattern warnings

Flags weak signing algorithms, missing claims, expired tokens. Catches mistakes before they hit production.

Who uses it

API devs

Debugging auth header tokens, validating expiration, checking claim contents.

Security pros

Auditing signed payloads, testing for weak secrets, verifying signature implementations.

OIDC integrators

Inspecting access_token / id_token from Okta, Auth0, Cognito, Keycloak flows.

Students

Learning what claims are, why exp matters, how HMAC signatures work.

Real use cases

Your API request is rejecting a JWT and you suspect it's expired. Paste the token, see the exp timestamp + relative time. Yep, expired 3 hours ago. Refresh and retry.
An Okta access_token shows up in your logs with claims you don't recognize. Decode it, see iss, aud, scope, sub. Match to your application config.
You need to test your API's auth middleware locally. Sign a custom JWT with HS256 + your secret + a synthetic payload. Send it as Authorization: Bearer ... -your middleware accepts it.
Production is leaking auth tokens in error logs. Paste a leaked token, decode the payload, identify which user / scope is affected. Trigger a forced re-auth.
A frontend dev asks why their JWT verification fails. Decode their token, check the alg in header. They signed HS256 but server expects HS384. Mismatch found.
You're explaining JWTs in a code review. Open the decoder, paste an example token, point at header.alg = HS256, payload.exp expiration, signature segment. Click Sign mode. Perfect demo.

Compared with other tools

Feature	Molixa	jwt.io	jwt-decoder.io	DenCode
Decode	Yes	Yes	Yes	Yes
HS256/384/512 verify	Yes (local)	Yes (server)	Yes	Yes
JWT signing	Yes	Yes	No	Yes
Time claim humanizer	Yes	Partial	No	No
Anti-pattern warnings	Yes	No	No	No
Free, no signup	Yes	Yes	Yes	Yes
Browser-only verify	Yes	Server-side	Server-side	Yes

Frequently asked questions

Is the JWT decoder free?▾

Yes. Unlimited use, no signup, browser-only. jwt.io is the de-facto standard but ships HS256/RS256/ES256 verification only when you trust them with your tokens; we run all the math locally.

What's a JWT?▾

Is my token sent anywhere?▾

Which algorithms can I verify?▾

How do I check if my token is expired?▾

Decoder shows a status badge: valid, expired, not-yet-valid (nbf in future), or no-expiry. The exp claim is interpreted as Unix seconds and compared to your local clock.

What's the difference between 'iat' and 'exp'?▾

What's 'nbf'?▾

Not before. The token is invalid until this timestamp. Used for delayed-activation tokens. Less common than exp/iat. Always check nbf if your token includes it.

Can I sign my own JWT?▾

Why does my JWT verify mismatch?▾

Is JWT secure?▾

Decode and verify a JWT

Decode, verify, sign. Browser-only. Free unlimited.

Open the JWT decoder

Built and reviewed bySaqib Zahoor, WeboTech Studio

Last updated: May 14, 2026

The JWT Decoder page is built, reviewed, and maintained by the Molixa team. We use the tool we ship and update the docs when the behavior changes.

JWT Decoder

Header

Payload

Signature

What is the JWT Decoder?

How it works

Features

Why this decoder

Who uses it

Real use cases

Compared with other tools

Frequently asked questions

Decode and verify a JWT

JWT Decoder

Header

Payload

Signature

What is the JWT Decoder?

How it works

Features

Why this decoder

Who uses it

Real use cases

Compared with other tools

Frequently asked questions

Decode and verify a JWT

From the blog