JWT Decoder & Verifier
Paste a JSON Web Token to inspect its header, payload, and signature. Provide a shared secret (HS256/384/512) or a public key in PEM (RS / PS / ES) to verify it. Everything runs in your browser via Web Crypto. The token never leaves your machine.
Encoded JWT
Verify signature
Paste a JWT above to see its algorithm.
Header
Waiting for token…
Payload
Waiting for token…
Signature
Waiting for token…
How verification works
A JWT is three base64url-encoded parts separated by dots: header.payload.signature.
The header announces the signing algorithm; the payload carries claims; the signature is the
MAC or signature over base64url(header) + "." + base64url(payload).
For HS256/384/512 (HMAC), the signature is computed with a shared secret. Paste the same secret to verify.
For RS256/384/512 (RSA-PKCS1), PS256/384/512 (RSA-PSS),
and ES256/384 (ECDSA with P-256 / P-384), the issuer signs with a private key
and you verify with the matching public key in PEM format (the
-----BEGIN PUBLIC KEY----- block from an X.509 SPKI export).
Verification happens entirely in your browser through the SubtleCrypto API.
The token, secret, and key are never sent anywhere.