JWT Decoder/Encoder
Decode JWT tokens, inspect claims, and encode with HS256
Overview
Decode JWT (JSON Web Token) strings to inspect header and payload claims. It parses and displays expiration (exp), issuer (iss), subject (sub), and other fields. You can also encode tokens with the HS256 algorithm. Useful for quickly checking token contents during API development or authentication debugging.
Key Features
- JWT token decoding (header + payload)
- Per-claim parsing with timestamp conversion (exp, iat, etc.)
- JWT encoding with HS256 signature
- Token expiration status display
- Color-coded parts (header, payload, signature)
How to Use
- Paste the JWT token string into the input field.
- The header and payload are decoded and displayed automatically.
- To encode, enter the payload JSON and a secret key to generate a JWT.
Tips
- JWT payloads are Base64URL-encoded, not encrypted. Anyone can decode them, so do not put sensitive data in the payload.
- The exp claim is stored as a Unix timestamp. This tool converts it to a human-readable date.
- This tool is for inspecting token structure. Avoid entering production secret keys here.
FAQ
- Are other algorithms like RS256 supported?
- Decoding works regardless of the algorithm. Encoding (signature generation) currently supports HS256 only. Asymmetric algorithms like RS256 may be added later.
- Is the token sent to a server when I input it?
- No. All decoding and encoding is processed in the browser. Tokens are never sent externally.
- Can I verify signatures?
- For HS256, you can enter the secret key to check if the signature matches. This feature is for development and debugging. Entering production keys in the browser is not recommended.