JWT decoder / generator

Decode JWT headers and claims, then generate HS256 test tokens locally. Tokens and signing secrets never leave your browser.

Runs in your browser -- no data sent

Showing example token — paste your own to decode it.

Expired 946d ago(exp: 2023-11-14T23:13:20.000Z)

Headeralg · typ
alg"HS256"
typ"JWT"
Payloadclaims
sub"user_123"
name"Alice Smith"
email"alice@example.com"
role"admin"
iat1700000000(2023-11-14 22:13:20 UTC)
exp1700003600(2023-11-14 23:13:20 UTC)
Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Not verified — This tool decodes the token contents but cannot verify the signature. Signature verification requires the secret key. Never trust the contents of a decoded JWT without server-side verification.

JWT generatorHS256 · local

Generator privacy — HS256 signing happens locally in your browser. Use this for development and testing only; production token issuance belongs on your server.

Guide

JWT Decoder / Generator: what it does and how to use it

What this JWT tool does

This JWT tool helps developers inspect JSON Web Tokens and create local HS256 test tokens. A JWT usually contains a header, a payload with claims, and a signature. Decoding it makes the claims readable so you can understand who issued the token, when it expires, which subject it belongs to, and which algorithm it declares.

How it works

Paste a token to split it into its three parts and decode the Base64URL header and payload. For generation, enter a JSON payload and a local signing secret; the browser signs the token with Web Crypto. The tool does not prove that an existing token is trustworthy unless your server verifies the signature with the real key.

Examples

  • Inspect exp, iat, nbf, sub, aud, iss, and role claims.
  • Generate a short-lived HS256 token for local API testing.
  • Debug why an authentication flow rejects a token.

Security considerations

Tokens and signing secrets stay in the browser. Never paste production secrets into shared devices, and never trust decoded claims without server-side verification.

FAQ

What is a JWT?

A JWT is a compact token format used to send signed claims between systems, often for authentication and API access.

Can this verify a token?

It decodes tokens and can generate HS256 test tokens. Trust decisions still require server-side signature verification.

Is the token uploaded?

No. Decoding and HS256 generation run locally in your browser.