Skip to main content

JWT Decoder & Verifier

100% Local  ·  No Server  ·  No Token Upload

🔒 Token-Safe & Private: All decoding and verification run entirely in your browser. Your JWT tokens and keys never leave your computer.

What is a JWT, and what does this tool do?

A JSON Web Token (JWT) is a compact, URL-safe string that services use to prove your identity or pass information securely between systems — commonly seen in login sessions, API authentication, and single sign-on (SSO). It looks like three Base64-encoded blobs joined by dots: header.payload.signature.

This tool lets you instantly decode the header and payload to see exactly what claims are inside — user ID, roles, expiry time, and more — and optionally verify the signature using your own secret key, all without sending anything to a server.

Paste your token → decoded instantly See expiry & issued-at times in human-readable format Verify HS256/384/512 signatures with your secret key Your tokens & keys never leave your browser

Encoded JWT Token

Signature Verification

Awaiting token…

Paste a JWT token to begin

⚠ Asymmetric algorithms (RS*, ES*, PS*) require a public key and are not supported for client-side verification.

Header

// Paste a JWT token to decode…

Payload

// Paste a JWT token to decode…

Frequently Asked Questions: Secure & Offline JWT Decoding

Common developer questions about JSON Web Token security, privacy, and local verification.

How do I decode a JWT offline securely?

This tool decodes JSON Web Tokens entirely using native browser JavaScript APIs — specifically atob() and decodeURIComponent() for Base64URL parsing, and the W3C crypto.subtle Web Crypto API for HMAC signature verification. No external API calls are made at any point. The token string is held only in your browser's JavaScript memory and is never transmitted over a network. You can even save the index.html file locally and run it fully offline in an air-gapped environment, with zero dependencies on any external server or CDN.

Is it safe to paste a JWT into an online tool?

Most popular browser-based JWT tools process tokens on a remote server. When you paste a token into one of those tools, your token is transmitted to a third-party system where it may be logged, cached in request logs, or stored in analytics pipelines — often without your knowledge. If your token encodes personally identifiable information (PII) such as email addresses, user IDs, or roles, or if it is a live bearer token for a corporate SSO session or production API, that data is exposed to an external party. This tool is a safe alternative: it is a single static HTML file that performs all decoding and verification locally in your browser. No token data, payload claims, or secret keys ever leave your computer.

Can you extract a secret key just by decoding a JWT?

No. A JWT consists of three parts: the Header, the Payload, and the Signature. Decoding a JWT only reveals the Header and Payload, which are simply Base64URL-encoded plain text — anyone can read them, which is why you should never store secrets inside JWT claims. The Signature is a one-way cryptographic hash (for HMAC) or asymmetric digital signature (for RSA/ECDSA) computed from the encoded header and payload using the secret key. While the signature value itself is visible in the decoded token, cryptographic hash functions are designed to be irreversible: you cannot recover the original secret key from the signature output without an exhaustive brute-force attack, which is computationally infeasible for any sufficiently strong key.

How do I verify a JWT signature locally?

Paste your token into the input field on this page. If the header's alg claim is HS256, HS384, or HS512, a Secret Key input field appears automatically. Enter your secret in UTF-8, Base64, or Hex encoding, then click Verify Signature. The browser's built-in crypto.subtle.verify() API recomputes the HMAC over the exact bytes of the encoded header and payload, then compares the result against the token's signature — entirely locally, in real time. Asymmetric algorithms (RS*, ES*, PS*) use a public/private key pair and require server-side verification with the issuer's public key; they are not supported for client-side verification in this tool.

If you want more tools like this, please let us know

Email Us