Paste a JSON Web Token to instantly decode and inspect its header, payload, and claims — all locally in your browser.
Enter the HMAC secret below to verify the token signature locally. This works only for HS256, HS384, and HS512 tokens. Your secret never leaves this page.
A JWT is a compact, URL-safe string used to transmit information between parties as a JSON object. It consists of three Base64URL-encoded parts separated by dots: header.payload.signature.
JWT) and the signing algorithm (HS256, RS256, etc.).exp), issued-at (iat), and not-before (nbf).sub — Subject (usually the user ID)iss — Issuer (who created the token)aud — Audience (who the token is intended for)exp — Expiry time (Unix timestamp)iat — Issued at (Unix timestamp)nbf — Not valid before (Unix timestamp)JWTs are encoded, not encrypted by default — anyone with the token can read the payload. Never store sensitive data (passwords, credit cards) in a JWT unless you also encrypt it (JWE). Always verify the signature on the server side before trusting claims.