JWT Decoder / Inspector

v1.0.0

Inspect JWT tokens by decoding the header and payload, checking standard timestamp claims, and reviewing the token structure in your browser.

Encoded Token

Valid JWTYes
Signature VerifiedNo

Decoded Header

AlgorithmHS256
TypeJWT

Decoded Payload

Subject1234567890
nameJohn Doe
admintrue
Issued At1516239022 (2018-01-18T01:30:22.000Z)

JWT Signature Verification

HS256

Provide the shared secret used to sign this JWT.

Secret
Failed

JWT Decoder and Inspector

Use this JWT Decoder and Inspector to decode, inspect, verify, and edit JSON Web Tokens directly in your browser. It is useful when you need to debug authentication flows, review claims, validate signatures, inspect issuer metadata, or re-sign a token during development.

This tool goes beyond simple decoding. You can paste a JWT, inspect the decoded header and payload, review claims in a structured breakdown, verify the signature with common algorithms, and re-encode or sign the token again after editing.

What Is a JWT?

A JWT, or JSON Web Token, is a compact token format commonly used for authentication and authorization. A JWT typically contains three dot-separated parts:

  • Header
  • Payload
  • Signature

The header and payload are Base64URL-encoded JSON objects. The signature protects the token from tampering and is verified with a shared secret or a public key, depending on the algorithm.

What This Tool Can Do

This tool helps you:

  • Decode JWT header and payload instantly
  • Inspect claims in raw JSON or a claims breakdown view
  • Highlight standard claims such as iss, sub, aud, iat, nbf, and exp
  • Format time-based claims into readable dates
  • Verify signatures for common JWT algorithms
  • Paste PEM, JWK, or JWKS keys for verification
  • Auto-resolve JWKS from an OpenID Connect issuer when iss is present
  • Edit decoded header and payload, then re-encode the token
  • Sign the token again with a secret or private key when needed

Supported Verification and Signing Flows

The current tool supports common JWT workflows such as:

  • HS256, HS384, HS512 with a shared secret
  • RS256, RS384, RS512 with RSA keys
  • ES256, ES384, ES512 with elliptic-curve keys
  • EdDSA for Ed25519-style JWT usage

For asymmetric algorithms, you can provide:

  • PEM public keys for verification
  • PEM private keys for signing
  • JWK or JWKS documents when available

If the payload contains an OpenID-style issuer and the token header includes a matching kid, the tool can also fetch issuer configuration and resolve the correct JWKS automatically for verification.

Common Use Cases

  • Debugging access tokens returned by OAuth or OpenID Connect providers
  • Inspecting claims from internal auth services
  • Checking whether a token is structurally valid before deeper troubleshooting
  • Verifying signatures locally with a shared secret, PEM key, JWK, or JWKS
  • Confirming issuer and key-rotation behavior through JWKS discovery
  • Editing header or payload claims during local testing
  • Re-signing a development token after changing claims

Important Notes

  • A JWT can be structurally valid even if the signature is not verified.
  • Decoding and verification are different checks. This tool surfaces both so you can tell them apart.
  • Re-signing is intended for development and debugging workflows, not for replacing server-side token issuance.
  • Automatic issuer discovery depends on the token's iss claim and the availability of standard OpenID configuration and JWKS endpoints.

Example

A JWT typically looks like this:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.KMUFsIDTnFmyG3nMiGM6H9FNFUROf3wh7SmqJp-QV30

With this tool, you can:

  • Decode the header and payload
  • Inspect claims in a human-friendly view
  • Verify the signature
  • Change a claim such as name or exp
  • Re-encode or sign the token again for testing

Frequently Asked Questions

Does this tool only decode JWTs?

No. It can also verify signatures, inspect claims in a structured view, auto-discover JWKS from an issuer, and sign the token again when you provide a compatible key.

Can I verify a JWT signature locally?

Yes. You can verify many common JWT algorithms with a shared secret, PEM key, JWK, or JWKS. The tool also supports issuer-based JWKS discovery for compatible OpenID Connect tokens.

Can I edit the payload and rebuild the token?

Yes. You can edit the decoded header or payload, then re-encode the token in the browser. If you also provide a valid secret or private key, you can sign it again.

Does this replace server-side validation?

No. It is a debugging and inspection tool. Your application should still perform proper validation, trust checks, and authorization decisions on the server side.

Related Tools

Final Thoughts

JWTs are more than encoded JSON. In real-world debugging, you often need to inspect claims, verify signatures, compare keys, and understand issuer metadata in one place. This tool is designed for that fuller workflow while still keeping the experience local and fast.

Related Tools

Keep exploring adjacent tools for the same workflow.

Base64 Encoder / Decoder

Updated

JSON String Encoder / Decoder

JSON Formatter / Minifier

DateTime Converter

URL Parser & Query Builder

Need More?

Browse the full toolbox if this tool is close but not quite the one you need.

View all tools