JWT Decoder

FAQ

What is JWT?

JWT (JSON Web Token) is a compact, URL-safe token format widely used for authentication, authorization, and secure data exchange between systems. JWTs can be digitally signed to verify integrity and help detect whether a token has been tampered with.

What are the three parts of a JWT?

A JWT consists of three Base64URL-encoded sections separated by dots (.).

  • Header: Contains metadata such as the token type and signing algorithm.
  • Payload: Contains claims and user-related data.
  • Signature: Used to verify that the token has not been modified.

Which signing algorithms are supported?

This tool currently supports the following JWT signing algorithms:

  • HS256, HS384, HS512 (HMAC)
  • RS256, RS384, RS512 (RSA)

For HMAC algorithms, enter the secret key used to sign the token. For RSA algorithms, provide a PEM-formatted public key.

What do iat, nbf, and exp mean?

Common JWT time-related claims include:

  • iat (Issued At): The time when the token was issued.
  • nbf (Not Before): The time before which the token must not be accepted.
  • exp (Expiration Time): The time when the token expires.

This tool automatically converts Unix timestamps into readable dates and checks whether a token has expired or is not yet valid.

Can I decode a JWT without a key?

Yes.

  • The Header and Payload are simply Base64URL-encoded data.
  • No secret key or public key is required to decode them.
  • A verification key is only needed when validating the token's signature.

How do I verify a JWT signature?

To verify a JWT signature:

  • Paste the JWT into the input box.
  • Enter the appropriate verification key.
  • Click "Decode & Verify".

HS256, HS384, and HS512 require the original secret key. RS256, RS384, and RS512 require a PEM-formatted RSA public key.

What does 'Signature verification failed' mean?

This message usually indicates one of the following:

  • The verification key is incorrect.
  • The JWT header or payload has been modified.
  • The actual signing algorithm does not match the algorithm declared in the JWT header.
  • The provided RSA public key does not correspond to the private key used to sign the token.

Is my JWT uploaded to a server?

No.

  • JWT decoding and signature verification are performed entirely within your browser.
  • JWT contents and verification keys are not sent to any server.
  • Sensitive tokens, secrets, and authentication data remain on your device.