DevTulz Online

JWT Decoder & Verifier

Encoded JWT

Verify Signature with Secret/Key

Decoded Header

Decoded Payload

What is JWT Decoding?

JSON Web Tokens (JWT) are compact, URL-safe tokens consisting of three Base64URL-encoded parts separated by dots: header.payload.signature. The header specifies the signing algorithm (e.g. HS256, RS256). The payload contains claims — key-value pairs that assert information about the subject, such as user ID, roles, expiration time (exp), issued-at time (iat), and issuer (iss). The signature verifies that the header and payload haven't been tampered with. Decoding a JWT reveals the header and payload without needing a key — but signature verification requires the secret or public key to confirm the token is authentic.

How to Use the JWT Decoder Tool

  1. Paste your JWT token (the three-part dot-separated string) into the input field.

  2. The header and payload are decoded and displayed as formatted JSON automatically.

  3. Check the expiration time (exp claim) to see if the token is still valid.

  4. To verify the signature, enter the secret key (for HMAC algorithms like HS256) or the PEM public key (for RS256/ES256).

  5. The verification result confirms whether the signature is valid or has been tampered with.

This JWT decoder runs entirely in your browser — your tokens are never sent to any server. Supports decoding any JWT and signature verification for HS256/384/512, RS256/384/512, and ES256/384/512 algorithms. Useful for debugging authentication issues, inspecting token claims, and verifying token integrity.

Need to create JWTs? Try our JWT Encoder →

Frequently Asked Questions

Is it safe to paste a JWT here? Yes — all decoding happens in your browser with no server communication. However, be cautious with tokens from production systems that grant real access. Access tokens should be treated like passwords. It's safest to use test tokens or tokens that have already expired.

What is the difference between decoding and verifying a JWT? Decoding simply base64-decodes the header and payload — anyone can do this without a key. Verifying checks the cryptographic signature using the secret or public key to confirm the token was issued by a trusted source and hasn't been modified.

What does 'exp' mean in a JWT payload? exp is the expiration time claim — a Unix timestamp after which the token should not be accepted. For example, exp: 1700000000 means the token expires at that Unix timestamp. Always verify the exp claim in your application code when validating tokens.

Can I modify a JWT payload? You can decode and re-encode the payload bytes, but doing so invalidates the signature — the token will fail verification. JWTs are tamper-evident: any modification to the header or payload without the private key produces an invalid signature.

Keywords: JWT decoder online, decode JWT, JSON Web Token decoder, JWT signature verification, JWT debugger, HMAC verification, RSA verification, free JWT tool