JWT Decoder & Encoder

Decode JWT headers and payloads, inspect claims, or encode unsigned and HMAC-signed JWTs locally in your browser.

Decode a JSON Web Token when you need to inspect the header, payload, and common claims, or encode a test JWT from header and payload JSON. Decoding and HMAC signing run locally in your browser, and decoded content is not proof that a token is authentic.

Runs locally in your browser. Decoding does not verify signatures, and pasted tokens or signing secrets are not uploaded.
Decoded, not verified
Claim summary
Decoded claims will appear here.
JWTs can contain sensitive user or session data. This tool decodes the token locally, but it does not verify the signature or prove the token is authentic.
Decoded header JSON
Header JSON will appear here.
Decoded payload JSON
Payload JSON will appear here.

How to use JWT Tool

  1. Use Decode mode to paste a JWT in compact header.payload.signature format.
  2. Review the claim summary, header JSON, payload JSON, and exp, nbf, or iat dates against your browser clock.
  3. Use Encode mode to enter header and payload JSON, then choose an unsigned token or an HS256, HS384, or HS512 HMAC signature.
  4. Copy the decoded summary or generated JWT you need.

Examples

Copy patterns and edge cases worth checking.

Inspect a token payload

The payload is decoded for inspection only. Signature verification is not performed.

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwiaWF0IjoxNzE5NjAwMDAwfQ.signature
{
  "sub": "1234567890",
  "iat": 1719600000
}

Create a test JWT

Unsigned tokens are useful for local fixtures only when your verifier explicitly allows alg none.

Header {"alg":"none","typ":"JWT"} and payload {"sub":"1234567890"}
A compact JWT with an empty signature segment.

Check an expiration claim

Date claims are Unix timestamps in seconds.

JWT payload with exp: 2530224000
Expires: Mar 7, 2050 UTC

FAQ

Short answers before you paste real data.

Does this JWT tool verify signatures?

No. It decodes the header and payload so you can inspect the JSON. A decoded token is not proof that the token is authentic.

Can it encode or sign JWTs?

Yes. Encode mode can create unsigned JWTs or HMAC-signed JWTs with HS256, HS384, or HS512 using the browser Web Crypto API.

Are JWTs or signing secrets uploaded to a server?

No. Decode and encode actions run in your browser, and JWTs or HMAC secrets are not sent to WebMultitool servers or external APIs.

Why do token dates look different from my server logs?

JWT date claims are Unix timestamps in seconds. The tool shows UTC and your browser's local time, so timezone display can differ from server logs.

Related tools

Useful next steps that also run locally in your browser.