Payload (JSON)
Secret key
Output
Output will appear here
About
The JWT Tool decodes any JSON Web Token to reveal its header (algorithm, type) and payload claims (subject, name, issued-at, expiry) without needing the secret — perfect for debugging auth flows. It automatically detects token expiry and flags expired tokens with a warning. In Encode mode, you can sign a JSON payload as a new JWT using HMAC-SHA-256, SHA-384, or SHA-512 and a custom secret key. All processing runs entirely in your browser using the Web Crypto API — your tokens, payloads, and secrets are never transmitted to any server. No sign-up required.
How to use
- 1 Paste your JWT string into the Decode tab to inspect the header and payload.
- 2 Switch to the Encode tab to create a new token.
- 3 Fill in the payload JSON and enter your signing secret.
- 4 Choose the algorithm (HS256, HS384, or HS512) and click Sign.
- Can I decode a JWT without knowing the secret?
- Yes. The header and payload of a JWT are Base64URL-encoded, not encrypted, so they can be decoded and read without the signing secret. Decoding does not verify the signature — it simply lets you inspect the claims. Never put sensitive data in a JWT payload.
- Is it safe to paste my JWT into this tool?
- All decoding and encoding runs entirely in your browser — your token is never sent to any server. That said, treat production tokens with care; use test or expired tokens when debugging in any online tool.
- What signing algorithms are supported for encoding?
- The encoder supports HS256 (HMAC-SHA-256), HS384 (HMAC-SHA-384), and HS512 (HMAC-SHA-512) — the most common symmetric signing algorithms. RSA and ECDSA (RS256, ES256) are asymmetric and require a private key, which is outside the scope of this browser-based tool.