Skip to content
Calcipedia

JWT Decoder and Encoder

Decode, encode, verify, and explore JSON Web Tokens with local claim inspection, HS signing, signature verification, and security warnings.

Last updated

JWT workspace

Result

Paste a JWT to inspect it.

Decode, verify, and inspect claims locally in your browser.

The JWT is not ready yet Enter a compact JWT to decode its header, payload, and signature.
← All Data calculators

JWT Debugging

JWT decoder, encoder, signature verifier, and claim explorer for JSON Web Tokens

A JWT decoder turns a compact JSON Web Token into readable header, payload, signature, and claim timing details so developers can debug authentication and authorization flows without writing a one-off script.

What a JWT decoder is for

A JSON Web Token is a compact representation of claims. In the common signed form, it has three Base64URL parts separated by dots: a protected header, a payload, and a signature. A JWT decoder is useful because the header and payload are encoded for transport, not encrypted for secrecy. That means a developer can inspect the algorithm, key ID, issuer, subject, audience, expiration time, scopes, roles, and custom claims without needing the signing key.

That inspection workflow is the core intent behind searches such as JWT decoder, JWT token decoder, JSON Web Token decoder, JWT debugger, JWT parser, and online JWT verifier. A weak tool only pretty-prints JSON. A stronger JWT explorer also explains NumericDate claims, separates decode from signature verification, shows the raw Base64URL parts, and warns when the token is readable but still not trustworthy.

How the compact JWT format works

For a signed JWT, the JWS compact format signs the ASCII string formed by the Base64URL-encoded protected header, a period, and the Base64URL-encoded payload. The signature is then Base64URL-encoded as the third part. This is why changing one character in the header or payload breaks signature verification even though the decoded JSON may still look valid.

JWT payload dates use NumericDate values: seconds from 1970-01-01T00:00:00Z UTC. That is why this page converts exp, nbf, and iat into readable UTC times and explains whether the token is expired, not yet valid, or issued in the future. It also keeps the raw encoded parts visible because copy-paste errors often happen in the compact representation rather than in the decoded JSON.

JWT = BASE64URL(header) + "." + BASE64URL(payload) + "." + BASE64URL(signature)

The ordinary signed compact form has three dot-separated parts.

JWS signing input = ASCII(BASE64URL(UTF8(header)) + "." + BASE64URL(payload))

The signature is calculated over the encoded header and encoded payload, not over the pretty-printed JSON displayed by a debugger.

NumericDate = seconds since 1970-01-01T00:00:00Z UTC

Registered time claims such as exp, nbf, and iat use seconds, not JavaScript milliseconds.

Further reading

Decode, verify, and encode are different jobs

Decoding a JWT only proves that the compact parts can be Base64URL-decoded and parsed as JSON. It does not prove that the issuer created the token, that the audience is correct, or that the payload should be trusted. Verification is the cryptographic step: the verifier checks the signature against the signing input with the expected algorithm and the correct secret or public key.

Encoding is different again. This page can create signed HMAC tokens for fixtures, documentation examples, local API tests, and teaching. It deliberately does not perform browser-based private-key signing for RSA, PSS, or ECDSA because production private keys should stay in controlled local or server-side key-management workflows. It can still verify RSA, PSS, and ECDSA signatures when you paste a public PEM key or public JWK.

  • Use decode mode to inspect header, payload, raw signature, registered claims, and security warnings.
  • Use verify mode with an HMAC secret, public PEM key, or public JWK when you need to check whether the signature matches the compact token.
  • Use encode mode for HS256, HS384, and HS512 test tokens where a shared secret is appropriate.
  • Use server-side issuer validation for production decisions because audience, issuer, nonce, token use, clock skew, and revocation rules are application-specific.

How this JWT tool improves on basic decoders

Competitor research shows a clear split. jwt.io remains the familiar reference because it combines decode, encode, and signature verification. Privacy-focused alternatives emphasise browser-only processing. Smaller JWT decoder pages often stop at formatted header and payload output and leave signature verification, claim timing, and security interpretation to the reader.

This page is built to cover the full debugging workflow in one place: decode the compact token, inspect the header and payload, verify HMAC or public-key signatures, create HS-signed fixtures, convert exp, nbf, and iat into readable times, flag alg none, warn about missing expiration, and highlight sensitive-looking claim names. Those details make it useful as a JWT decoder online, JWT encoder, JWT verifier, and JSON Web Token claim explorer rather than just a pretty JSON viewer.

Further reading

Worked example: inspect an OAuth access token

Suppose an API call is failing with a 401 response and you paste the Bearer token into the decoder. The header shows HS256, RS256, or another JOSE algorithm. The payload shows iss, sub, aud, scope, iat, nbf, and exp. The claim explorer then translates the NumericDate values into readable times so you can quickly see whether the token is expired, not valid yet, issued far in the future because of clock skew, or aimed at a different audience than the API expects.

If you have the shared HMAC secret or the issuer's public key, verification adds the cryptographic check. A verified signature means the compact header and payload match the supplied key and algorithm. It still does not mean your application should accept the token automatically. Production systems also need issuer allow-lists, audience checks, nonce or token-use checks where relevant, key rotation handling, and whatever revocation or session policy the application requires.

Security limits and privacy model

This tool runs in the browser and is designed for local inspection. That privacy model is important because JWTs often contain user identifiers, scopes, tenant IDs, email addresses, or other operational metadata. Even so, the safest production habit is to avoid pasting long-lived production tokens or live shared secrets into any web page unless you control and trust the environment.

JWTs are frequently misunderstood as encrypted blobs. Ordinary signed JWTs are not encrypted; anyone who has the compact token can decode the header and payload. Do not put passwords, API keys, private keys, card data, or similarly sensitive values in a signed JWT payload. If confidentiality is required, the architecture needs encryption such as JWE or a different token design, and the receiving service must still validate the token according to its own policy.

Further reading

Frequently asked questions

Can I decode a JWT without the secret key?

Yes. A signed JWT's header and payload are Base64URL-encoded JSON, so they can be decoded without the secret or public key. The key is needed for signature verification, not for reading the claims. This is why JWT payloads should never contain passwords, API secrets, card data, or other information that must remain confidential.

What is the difference between decoding and verifying a JWT?

Decoding parses the compact token into readable JSON. Verification checks the signature over the original encoded header and encoded payload using the expected algorithm and key. A token can decode successfully and still be forged, expired, aimed at the wrong audience, or signed with the wrong key.

What do exp, nbf, and iat mean in a JWT payload?

exp is the expiration time, nbf is the not-before time, and iat is the issued-at time. All three are NumericDate values measured in seconds since the Unix epoch. This page converts those values into readable UTC timestamps and explains whether the token is expired, not yet valid, or affected by possible clock skew.

Why does my JWT signature fail verification?

Common causes include using the wrong secret or public key, choosing the wrong algorithm, treating a Base64URL-encoded secret as plain text, copying a token with missing characters, changing formatted JSON instead of the original compact signing input, or verifying a token against the wrong issuer's key. For public-key algorithms, also confirm that the kid header points to the key that actually signed the token.

Is HS256 or RS256 better for JWTs?

They solve different deployment problems. HS256 uses one shared secret for signing and verification, so every verifier that can check the token can also create tokens. RS256 uses a private key for signing and a public key for verification, which is often better when many services need to verify tokens without receiving the issuer's private signing key.

What does alg none mean?

alg none means the token is unsecured and has no cryptographic signature. The JWT and JWS specifications allow unsecured tokens for specific use cases, but ordinary authentication and authorization systems should not accept them unless the application has explicitly designed for that mode.

Can this JWT encoder create production tokens?

Use it for fixtures, documentation, tutorials, and local debugging. Production token issuance should happen in your authentication service where keys, issuer policy, expiration policy, audience rules, revocation, and audit logging are controlled. This page signs HMAC test tokens locally and avoids private-key browser signing for asymmetric algorithms.

What is Base64URL and why do JWTs use it?

Base64URL is a URL-safe variant of Base64 that replaces characters such as plus and slash and commonly omits padding. JWT compact serialization uses Base64URL so tokens can travel safely in HTTP headers, URLs, cookies, logs, and configuration text without extra escaping.

Can a JWT decoder tell me whether a token should be accepted by my API?

No decoder can make that full decision by itself. Acceptance depends on server policy: expected issuer, expected audience, allowed algorithms, key rotation rules, clock skew, scopes, token type, revocation state, and application-specific claims. This page helps you inspect and verify the token, but the API must still enforce its own validation rules.

Is it safe to paste a JWT into an online decoder?

It depends on the page and the token. This tool is designed to process tokens locally in the browser, but production tokens can still expose user identifiers, tenant data, scopes, or session context to anyone looking at your screen or browser history. Prefer short-lived test tokens when possible, and avoid pasting live shared secrets into untrusted environments.

Also in Data

3D Printing Cost Calculator AI ROI Calculator AI Token Cost Calculator Barcode Generator Battery Life Calculator Display Calculator Qr Code Generator RAID Calculator Video File Size Calculator

You may also need

Unix Time Converter

Related

More from nearby categories

These related calculators come from the same leaf category, nearby sibling categories, or the same top-level topic.

Hash Generator calculator card image

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-512, checksum, CRC, and HMAC outputs locally in your browser, compare published digests, and switch between hex, Base64.

 Password Generator calculator card image

Password Generator

Generate strong random passwords or memorable passphrases locally in your browser, with password manager presets, batch output, entropy estimates.

 AI Token Cost calculator card image

AI Token Cost Calculator

Estimate monthly AI API spend from prompt tokens, completion tokens, request volume, prompt caching, retry overhead, budget guardrails, and per-token pricing.

 3D Printing Cost calculator card image

3D Printing Cost Calculator

Estimate 3D printing cost and quote price from filament, waste, failed-print risk, electricity, machine wear, labour, packaging, platform fees, markup, profit.