Tools100% Private

JWT Decoder & Verifier

RFC 7519 / 7518 · runs entirely in your browser

Paste a JSON Web Token below and the header, payload, and signature pieces are decoded instantly. Click Verify to add a key and run the cryptographic check locally with the browser's Web Crypto API. Supports HS256/384/512, RS256/384/512, PS256/384/512, ES256/384/512.

Token

Header—

Paste a token above

Payload

—

SignatureNot verified

—

What gets verified

After decoding the header and payload, this page verifies the signature against a key you supply. The signature is computed over the exact bytes of base64url(header)+"."+base64url(payload) and compared to the third segment using the algorithm declared in the header.

This page handles every standard JWT signing family:

HS256/HS384/HS512 — symmetric (HMAC) signatures, verified with the shared secret.
RS256/RS384/RS512 — RSA-PKCS#1 v1.5 signatures, verified with the issuer's RSA public key (PEM SPKI).
PS256/PS384/PS512 — RSA-PSS signatures, verified with the same RSA public key form.
ES256/ES384/ES512 — ECDSA signatures on P-256 / P-384 / P-521, verified with the matching EC public key.

Time claims

Three standard time-related claims are interpreted automatically:

iat (issued at) — when the token was minted.
nbf (not before) — the earliest time the token is valid.
exp (expires at) — the latest time the token is valid.

Common use cases

Decode an opaque Authorization: Bearer … token to see exactly what claims your client is sending or your server is receiving.
Confirm an OIDC ID token signature against the issuer's public key before trusting the claims.
Check an internal-service JWT was signed with the expected shared secret.
Verify a token that was supposed to expire is in fact rejected — paste it here and compare to the live exp countdown.

Privacy

Tokens, secrets, and keys you paste are processed only in your browser. There is no network round-trip; the verification key is held in memory only as long as the page is open and is never stored or logged anywhere.