🔐 JWT Encoder / Decoder
Encode, decode, verify, and inspect JSON Web Tokens entirely in your browser. Your data never leaves your device.
What Is a JSON Web Token (JWT)?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe token format used to securely transmit information between parties as a JSON object. JWTs are widely used for authentication and authorization in web applications, APIs, and microservices. They are defined in RFC 7519 and have become the de facto standard for stateless authentication on the web.
JWT Structure
A JWT consists of three parts separated by dots (xxxxx.yyyyy.zzzzz):
- Header: Contains the token type (
JWT) and the signing algorithm (HS256,RS256, etc.). - Payload: Contains claims — statements about the user and additional metadata (e.g., user ID, email, roles, expiration time).
- Signature: A cryptographic hash that verifies the token hasn't been tampered with. Created by signing the header and payload with a secret key.
Encoding vs Decoding
Decoding extracts the header and payload from a JWT — no secret key is needed since JWTs are only Base64URL-encoded, not encrypted. Encoding creates a new JWT by combining a header, payload, and cryptographic signature using a secret key. Verification checks that the signature matches the header+payload using the correct secret, confirming the token hasn't been tampered with.
Common JWT Claims
| Claim | Name | Purpose |
|---|---|---|
iss | Issuer | Who created and signed the token |
sub | Subject | The user or entity the token represents |
aud | Audience | The intended recipient(s) of the token |
exp | Expiration | Unix timestamp when the token expires |
iat | Issued At | Unix timestamp when the token was created |
nbf | Not Before | Token is not valid before this time |
jti | JWT ID | Unique identifier to prevent token replay |
Common Use Cases
- API Authentication: Clients include JWTs in the
Authorization: Bearerheader for stateless API authentication. - Single Sign-On (SSO): JWTs enable authentication across multiple services without repeated logins.
- Microservices: Services pass JWTs to propagate user identity and permissions across service boundaries.
- Token Debugging: Decode JWTs to inspect claims during development and troubleshooting.
How to Use This Tool
- Paste your JWT token into the input area on the Decode tab.
- Click Decode to view the header, payload, and signature.
- Switch to the Encode tab to create new JWTs with custom claims.
- Use the Verify tab to check a token's HMAC signature with your secret key.
Why Use This Tool?
- Full JWT toolkit: decode, encode, and verify — all in one page.
- Runs 100% in your browser using the Web Crypto API.
- Your tokens and secret keys never leave your device.
- Supports HS256, HS384, and HS512 algorithms.
Frequently Asked Questions
Is it safe to decode JWTs?
JWTs are encoded (Base64URL), not encrypted. Anyone can decode and read the payload — the signature only prevents tampering. Never store sensitive information (passwords, credit cards) in JWT payloads.
Does this tool verify the signature?
Yes! The Verify Signature tab lets you check a token's signature using HMAC-SHA (HS256/HS384/HS512) with a secret key. Everything runs entirely in your browser using the Web Crypto API — your secret key is never sent anywhere.
Can I encode/create JWTs here?
Absolutely. The Encode tab lets you build a JWT from a custom header and payload, sign it with a secret key, and optionally
add iat and exp claims automatically. The generated token is fully valid and can be used for testing and development.