JWT Decoder & Validator — Decode Header/Payload + Verify HS256/RS256 Signatures Client-Side
Free online JWT decoder and signature validator. Decode header and payload, highlight registered claims (iss/sub/aud/exp/iat/nbf/jti), check expiration in real-time, verify HS256/HS384/HS512 signatures with a shared secret, or RS256/384/512 with a PEM public key. 100% client-side — your tokens never leave the browser. Uses Web Crypto API.
Algorithm:
🪪 Header
📦 Payload
🔏 Signature (base64url)
🔐 Verify signature (optional)
What is a JWT?
JSON Web Token (JWT) is a compact, URL-safe token format defined in RFC 7519. Structure = header.payload.signature, base64url-encoded. Used for stateless auth, API authorization, SSO, OAuth2 access/id tokens. Standard for Auth0, Clerk, Supabase, Firebase Auth, and most modern auth providers.
What this tool does
- Decodes header + payload — pure browser-side base64url, token never leaves your device
- Highlights registered claims — iss/sub/aud/exp/iat/nbf/jti auto-labelled with descriptions
- Expiration check — real-time "expired" / "expires in X" indicator
- Signature verification — HS256/384/512 with shared secret + RS256/384/512 with PEM public key, all via Web Crypto API locally, zero backend calls
Common JWT algorithms
| Alg | Type | Use |
|---|---|---|
| HS256 | HMAC + SHA-256 (symmetric) | Shared secret, most common for small services |
| RS256 | RSA + SHA-256 (asymmetric) | Big platforms (Auth0, Firebase) |
| ES256 | ECDSA + SHA-256 (asymmetric) | Mobile / short tokens |