How it works
- 1
Paste your JWT
Drop a token from your app, an API response, or a cookie. The header, payload, and signature are colour-coded immediately.
- 2
Inspect claims and expiry
See the decoded JSON header and payload, every claim in a table, and a live badge showing whether the token is valid or expired.
- 3
Verify the signature (optional)
For HMAC-SHA256 tokens, enter your secret to verify the signature locally using the Web Crypto API — your secret never leaves the tab.
🛡️ Verify zero uploads — open DevTools → Network tab
Open your browser's DevTools (F12), go to the Network tab, and use this tool. You will see zero outbound requests — all processing runs inside your browser sandbox via WebAssembly or pure JavaScript. Nothing you paste or upload is ever sent anywhere.
Use cases
Debug auth flows during development
Paste the token your backend issues and immediately see which claims are present, whether the expiry is set correctly, and that the audience (aud) is right.
Verify JWT signature without a server
Confirm that a token was signed with your secret locally, without sending it through a third-party debugger like jwt.io.
Audit third-party API tokens
Inspect JWTs from external providers (Auth0, Supabase, Firebase, Clerk) to understand the included claims, scopes, and expiry windows.
Frequently Asked Questions
Is it safe to paste my JWT here?
Yes. This tool decodes entirely in your browser using JavaScript — no data is sent to any server. Open DevTools → Network while using it and you'll see zero requests. That said, avoid pasting production tokens for live users; use test tokens for debugging.
What does the signature verification check?
For HMAC-SHA256 (HS256) signed tokens, the tool re-computes the expected signature from the header and payload using your secret, then compares it to the signature in the token. If they match, the token is authentic and hasn't been tampered with. RSA and ECDSA (RS256, ES256) require the public key — public-key verification is coming soon.
What are the most common JWT claims?
Standard claims: iss (issuer), sub (subject / user ID), aud (audience), exp (expiry timestamp), iat (issued at), nbf (not before), jti (unique token ID). Claims in blue in the table are standard RFC 7519 claims; others are custom claims added by your application.
Why is the expiry time showing the wrong timezone?
JWT exp, iat, and nbf values are Unix timestamps (seconds since epoch). This tool converts them to your browser's local timezone for display. The raw Unix timestamp in the table is always timezone-independent.
How is this different from jwt.io?
jwt.io sends your token to its servers to decode. This tool decodes entirely client-side — your token never leaves the browser tab. It also runs offline once cached, and includes an expiry status badge and claims table without requiring you to scroll.
Want unlimited access + saved history?
Pro is $9/month · 30-day money-back guarantee.