JWT Decoder & Verifier
Decode JWT claims and verify signatures — entirely in your browser, nothing uploaded.
100% in your browser. Nothing is uploaded.
Frequently asked questions
Is my token sent to a server?
No. Decoding and verification both run entirely in your browser using the native Web Crypto API. Your token never leaves your machine.
Which algorithms does signature verification support?
HS256, HS384, HS512 (HMAC — use the shared secret string) and RS256, RS384, RS512 (RSA — paste the PEM public key starting with -----BEGIN PUBLIC KEY-----). Other algorithms report "unsupported."
Why does decoding work without a secret?
JWT header and payload are Base64URL-encoded, not encrypted. Anyone with the token can read the claims. Decoding is not the same as verification — you still need the secret or public key to confirm the signature is legitimate.
More dev tools
JSON Formatter
Format, validate, minify, and explore JSON.
Base64 Encode/Decode
Encode and decode Base64 for text and files.
URL Encoder
Encode, decode, and parse URLs and query strings.
Hash Generator
MD5, SHA-1, SHA-256/384/512 for text and files.
UUID Generator
UUID v4, v7, and Nano ID. Bulk generation.
Regex Tester
Test patterns with live matches and replace.