DevTools Hub
DevTools Hub

JWT Decoder & Debugger

Decode JWT tokens, verify HS256 & RS256 signatures, check expiration, and inspect all claims. 100% client-side — no data leaves your browser.

Frequently Asked Questions

What is a JSON Web Token (JWT)?

A JWT is a compact, URL-safe token format used for securely transmitting information between parties as a JSON object. It consists of three base64url-encoded parts separated by dots: a header (algorithm and type), a payload (claims/data), and a signature. JWTs are the industry standard (RFC 7519) for authentication and authorization in web applications.

How does JWT signature verification work?

For HS256 tokens, the tool re-computes the HMAC-SHA256 signature using the secret you provide and compares it against the token's signature. For RS256, it uses the RSA public key to cryptographically verify the signature. All verification happens in your browser using the Web Crypto API — no data leaves your machine.

What algorithms does this JWT debugger support?

This tool supports decoding JWTs with any algorithm, and can verify signatures for HS256 (HMAC with SHA-256) and RS256 (RSA with SHA-256) — the two most common JWT signing algorithms. For HS256, enter the shared secret. For RS256, paste the public key in PEM format.

What do the standard JWT claims mean?

iss (issuer) identifies who created the token. sub (subject) identifies the user. exp (expiration) is when the token expires. iat (issued at) is when it was created. nbf (not before) is the earliest time the token is valid. aud (audience) specifies the intended recipient. These are registered claims defined in RFC 7519.

Is my JWT data safe in this tool?

Yes. All decoding and signature verification happens entirely in your browser using JavaScript and the Web Crypto API. No token data is sent to any server. However, as a security best practice, avoid pasting production tokens containing sensitive information into any online tool.

How do I check if a JWT token is expired?

Paste your JWT into this tool and it will automatically detect the exp (expiration) claim, show whether the token is expired or still valid with a color-coded status badge, and display the exact expiry time in human-readable format along with how long ago it expired or how long until it expires.