JWT Decoder & Validator

Decode, verify, and generate JSON Web Tokens

JWT Token

Free Online JWT Decoder & Validator

Decode, verify, and generate JSON Web Tokens (JWTs) with our free, privacy-first online tool. Get instant security analysis, validate signatures, and understand JWT structure without uploading your tokens to any server. Perfect for developers debugging authentication flows, security auditors analyzing token security, and teams implementing JWT-based auth systems.

100% Client-Side

All JWT decoding, verification, and generation happens in your browser. Your tokens and secrets never leave your device.

Security Analysis

Automatic detection of security issues: algorithm "none" attacks, missing expiration, sensitive data exposure, and more.

9 Algorithm Support

Supports HMAC (HS256/384/512), RSA (RS256/384/512), and ECDSA (ES256/384/512) algorithms for complete JWT ecosystem coverage.

Key Capabilities

Decode JWT Tokens

Instantly decode any JWT token to view its header, payload, and signature. Our decoder parses the Base64URL-encoded parts and displays them in human-readable JSON format with syntax highlighting.

  • Color-coded header, payload, and signature sections
  • Standard claim tooltips (iss, sub, aud, exp, nbf, iat, jti)
  • Timestamp conversion for exp, nbf, and iat claims
  • Copy individual sections or the full decoded JSON

Verify JWT Signatures

Validate JWT signatures to ensure tokens haven't been tampered with. Enter your secret key, select the algorithm, and get instant verification results with detailed error messages if validation fails.

  • Support for symmetric (HMAC) and asymmetric (RSA, ECDSA) algorithms
  • Clear validation status with color-coded results
  • Detailed error messages for debugging failed validations
  • No server round-trips — instant local verification

Generate New JWTs

Create custom JWT tokens for testing and development. Define your header, add standard or custom claims to the payload, and generate properly signed tokens with your chosen algorithm.

  • Add unlimited custom claims with automatic JSON parsing
  • Support for all 9 standard JWT algorithms
  • Generated tokens ready to use in Authorization headers
  • Instant generation — no API calls or rate limits

Security Warnings

Automatic security analysis detects common JWT vulnerabilities and best practice violations. Get real-time warnings about token security issues before they become production problems.

  • Critical: Algorithm "none" attack detection
  • Warning: Missing or expired expiration claims
  • Warning: Sensitive data patterns in payload (passwords, SSN, etc.)
  • Info: Large token sizes affecting performance
  • Info: Not-before (nbf) claim validation

Privacy & Security

Your JWT tokens and secret keys are highly sensitive. Unlike other online JWT tools that may send your data to servers for processing, our tool operates entirely in your browser.

What We DO:

  • Process everything locally in JavaScript
  • Use Web Crypto API for secure operations
  • Provide security warnings and best practices
  • Support all standard JWT algorithms

What We DON'T DO:

  • Upload your tokens or secrets to any server
  • Store tokens in cookies or localStorage
  • Make external API calls with your data
  • Track or log your JWT contents

Security Note: While our tool is safe for development and testing, always follow JWT security best practices in production: use strong secrets, set appropriate expiration times, validate signatures, and never store sensitive data in JWT payloads (JWTs are signed, not encrypted).

How to Use the JWT Decoder

Decode a JWT Token

  1. Click the Decode tab
  2. Paste your JWT token into the input field
  3. View the decoded header, payload, and signature below
  4. Check for security warnings at the top of the page
  5. Copy individual sections or decoded values as needed

Verify a JWT Signature

  1. Click the Verify tab
  2. Paste your JWT token into the input field
  3. Enter your secret key (for HMAC) or public key (for RSA/ECDSA)
  4. Select the matching algorithm from the dropdown
  5. View the verification result — green for valid, red for invalid

Generate a New JWT Token

  1. Click the Generate tab
  2. Select your desired algorithm from the dropdown
  3. Enter your secret key (keep this secure!)
  4. Click Add Claim to add payload claims
  5. Enter claim names (e.g., sub, exp, iss) and values
  6. Click Generate JWT Token to create your token
  7. Copy the generated token for use in your application

Frequently Asked Questions

Is it safe to decode production JWTs in an online tool?

Our JWT decoder is 100% client-side, meaning your tokens never leave your browser or get uploaded to any server. However, for production tokens containing sensitive data, we recommend using this tool only in secure environments. If you're concerned about security, you can use this tool offline by saving the page locally, or use command-line JWT tools for maximum security.

What does the "Algorithm is 'none'" warning mean?

The algorithm "none" is a critical security vulnerability. It indicates that the JWT has no signature verification, meaning anyone can create or modify the token without needing a secret key. This is a severe security risk and should never be used in production. If you see this warning, the token is likely invalid or part of a security exploit attempt.

Why is my JWT signature verification failing?

Signature verification can fail for several reasons: (1) The secret key is incorrect, (2) The wrong algorithm is selected, (3) The token has been modified or tampered with, (4) For RSA/ECDSA, you need the public key (not the private key) to verify, (5) The token format is invalid. Double-check your secret key, ensure you've selected the correct algorithm from the token's header, and verify the token hasn't been modified.

What's the difference between symmetric and asymmetric JWT algorithms?

Symmetric algorithms (HMAC: HS256, HS384, HS512) use the same secret key for both signing and verifying tokens. This is simpler but requires sharing the secret key between all parties. Asymmetric algorithms (RSA: RS256/384/512, ECDSA: ES256/384/512) use a private key to sign tokens and a public key to verify them. This is more secure for distributed systems where multiple services need to verify tokens but shouldn't be able to create them.

Should I store sensitive data in JWT payloads?

No. JWTs are signed (to prevent tampering) but not encrypted. Anyone who receives the JWT can decode and read the payload using a tool like this. Only store non-sensitive information in JWTs, such as user IDs, roles, and public metadata. Never store passwords, credit card numbers, social security numbers, or other sensitive data in JWT payloads. If you need to transmit sensitive data, use JWE (JSON Web Encryption) instead.

How do I set an expiration time for my JWT?

Add an "exp" (expiration) claim to your JWT payload with a Unix timestamp value. For example, to create a token that expires in 1 hour, calculate the current time plus 3600 seconds: Math.floor(Date.now() / 1000) + 3600. Our generator allows you to add custom claims — just add a claim with key "exp" and the timestamp value. Always include expiration claims in production JWTs to limit the damage if a token is compromised.

JWT Best Practices

  • Always set expiration: Use the "exp" claim to limit token lifetime. Short-lived tokens (15-60 minutes) are more secure.
  • Use strong secrets: For HMAC algorithms, use cryptographically random secrets of at least 256 bits (32 bytes).
  • Validate on every request: Always verify JWT signatures and check expiration claims on the server side before trusting token data.
  • Use HTTPS only: JWTs should only be transmitted over HTTPS to prevent man-in-the-middle attacks.
  • Implement token refresh: Use short-lived access tokens with refresh tokens to balance security and user experience.
  • Store securely: In browsers, use httpOnly cookies for JWTs when possible. Avoid localStorage for sensitive tokens.