Decode any JWT. Without pasting it into a stranger's server.
Paste a JSON Web Token to read its header and payload, every claim
spelled out, with exp/iat/nbf
shown as real dates and a live expiry countdown. Optionally check an
HS256 signature. It all happens in your browser — the token is never
uploaded.
Header
Payload
FAQ
Is my token sent anywhere?+
No. Your JWT is decoded and inspected entirely in your browser — it is never sent to a server, and neither is the secret you type to verify it. We count anonymous, aggregate usage on our own server (a page view, that a token was decoded) — never your token, its claims, or your secret.
What does "decoding" actually show me?+
A JWT is three base64url parts: a header (the algorithm and type), a payload (the claims — who issued it, who it's for, when it expires), and a signature. Decoding reveals the header and payload as readable JSON and spells out the registered claims, turning exp, iat and nbf into real dates with a live countdown. Decoding does not verify the token — anyone can read a JWT; only the signature proves it's authentic.
How does HS256 verification work here?+
HS256 signs header.payload with a shared secret using HMAC-SHA256. Paste that secret and we recompute the signature in your browser (via the WebCrypto API) and compare it to the one in the token. A match means the token is authentic and untampered. RS256/ES256 (public-key) tokens can't be checked with a secret — that's on the roadmap. No login, no payment — this one is free.