Developer Tool

JWT Decoder & Verifier

Decode and verify any JSON Web Token (JWT) free — supports HS256, HS384, HS512, RS256, RS384, RS512. 100% client-side via Web Crypto API. No signup.

✅ Free Forever 🔒 No Signup ⚡ Instant Results 🌐 Browser Based

Quick Answer

The JWT Decoder is a free, browser-based tool that splits any JSON Web Token into its header, payload and signature, decodes the Base64URL-encoded claims, and verifies the signature with your secret (HMAC) or public key (RSA). Your token never leaves your device.

Paste your JWT

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload (claims)

{
  "sub": "1234567890",
  "name": "Jane Doe",
  "iat": 1516239022,
  "exp": 1900000000
}

iat (issued at): 2018-01-18T01:30:22.000Z (3044 days ago)

exp (expires): 2030-03-17T17:46:40.000Z (in 1397 days)

Secret

🔒 Your JWT and secret never leave your browser — all decoding and verification runs locally via the Web Crypto API.

Quick Facts

Tool Name: JWT Decoder & Verifier
Category: Developer Tool
Price: ✓ Free
Platform: Browser Based
Login Required: ✓ No
Last updated: 2026-05-20

How to Use JWT Decoder & Verifier

Enter Your Input
Paste your text or fill in the required fields in the tool above.
Click Generate
Hit the generate or analyze button to start processing.
Get Instant Results
The tool processes your input instantly in your browser.
Copy or Export
Copy your results to clipboard or download the output.

How to decode and verify a JWT

Paste a JWT into the input. The tool immediately splits it on the two dots, Base64URL-decodes the header and payload, and shows them as formatted JSON. If you also paste a secret (for HMAC algorithms) or a public key in PEM format (for RSA algorithms), the Verify signature button runs the browser's Web Crypto API to confirm whether the signature is genuine.

What's inside a JWT?

A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The header declares the signing algorithm (e.g. HS256). The payload contains claims — standard ones like sub (subject), iat (issued at), exp (expiry), plus any custom ones your application adds. The signature is created over header.payload using either a shared secret (HMAC) or a private key (RSA / ECDSA).

Related developer tools

Hash Generator — compute SHA-256 / HMAC for any text or file
cURL → Code Converter — turn cURL into fetch, axios, Python and 7 more
Regex Tester — test JS regex with live highlights

Frequently Asked Questions

Everything you need to know about JWT Decoder & Verifier

Is it safe to paste a real JWT here?

Yes. This tool runs 100% in your browser — your JWT and signing key never leave your device. Decoding uses pure JavaScript, and signature verification uses the browser's built-in Web Crypto API. Nothing is logged or sent to any server.

Which signing algorithms does the verifier support?

HS256, HS384 and HS512 (HMAC with a shared secret), and RS256, RS384 and RS512 (RSA with a public key in PEM/SPKI format). ES256 / EdDSA support is planned. If the signature algorithm in the header isn't supported, you'll see a clear error message.

Why does my signature show as invalid?

Three common causes: (1) the secret or public key you pasted is wrong, (2) the JWT was tampered with after it was signed, (3) you have extra whitespace or a trailing newline in the secret. Re-copy the secret directly from your env file and try again.

Can I check if a JWT is expired?

Yes — once decoded, the tool shows the `iat` (issued-at), `nbf` (not-before) and `exp` (expiry) claims with human-readable timestamps and a relative time (e.g. 'in 3 days' or '2 hours ago'). If `exp` is in the past, the token is expired.

What's the difference between this and jwt.io?

Functionally similar, but FreeAIToolz JWT Decoder is fully free, has no signup, no ads, no telemetry, and clearly displays which alg is used. Everything runs locally — jwt.io now requires Auth0 for many features and ships heavier analytics.

Need more than free tools?

Get Custom AI Solutions from AI2Flows