JWT decoder / generator
Decode JWT headers and claims, then generate HS256 test tokens locally. Tokens and signing secrets never leave your browser.
Showing example token — paste your own to decode it.
Expired 946d ago(exp: 2023-11-14T23:13:20.000Z)
| alg | "HS256" |
| typ | "JWT" |
| sub | "user_123" |
| name | "Alice Smith" |
| "alice@example.com" | |
| role | "admin" |
| iat | 1700000000(2023-11-14 22:13:20 UTC) |
| exp | 1700003600(2023-11-14 23:13:20 UTC) |
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Not verified — This tool decodes the token contents but cannot verify the signature. Signature verification requires the secret key. Never trust the contents of a decoded JWT without server-side verification.
Generator privacy — HS256 signing happens locally in your browser. Use this for development and testing only; production token issuance belongs on your server.
Guide
JWT Decoder / Generator: what it does and how to use it
What this JWT tool does
This JWT tool helps developers inspect JSON Web Tokens and create local HS256 test tokens. A JWT usually contains a header, a payload with claims, and a signature. Decoding it makes the claims readable so you can understand who issued the token, when it expires, which subject it belongs to, and which algorithm it declares.
How it works
Paste a token to split it into its three parts and decode the Base64URL header and payload. For generation, enter a JSON payload and a local signing secret; the browser signs the token with Web Crypto. The tool does not prove that an existing token is trustworthy unless your server verifies the signature with the real key.
Examples
- Inspect exp, iat, nbf, sub, aud, iss, and role claims.
- Generate a short-lived HS256 token for local API testing.
- Debug why an authentication flow rejects a token.
Security considerations
Tokens and signing secrets stay in the browser. Never paste production secrets into shared devices, and never trust decoded claims without server-side verification.
FAQ
What is a JWT?
A JWT is a compact token format used to send signed claims between systems, often for authentication and API access.
Can this verify a token?
It decodes tokens and can generate HS256 test tokens. Trust decisions still require server-side signature verification.
Is the token uploaded?
No. Decoding and HS256 generation run locally in your browser.