Initialising Workbench...
Paste a JSON Web Token to instantly decode its header and payload, inspect expiry claims, and verify its signature. Everything runs locally in your browser — no token ever leaves your device.
Paste a JWT above (or try the sample token) to see its decoded header, payload, and signature verification options.
Every tool runs entirely in your browser. Nothing you type is uploaded, stored, or logged on our servers.
The JWT Decoder / Debugger lets you inspect any JSON Web Token without leaving your browser. Paste a token to instantly see its decoded header and payload, check whether it has expired based on the standard exp and nbf claims, and cross-check the signature against a shared secret or a public key.
It supports HMAC (HS256/384/512), RSA (RS256/384/512), and ECDSA (ES256/384/512) signature verification using the browser's native Web Crypto API — no token, secret, or key is ever sent over the network, making it safe to use with real production tokens while debugging authentication issues.
No. Decoding and signature verification both happen entirely in your browser using the Web Crypto API. Your token, secrets, and keys never leave your device.
Decoding just Base64URL-decodes the header and payload segments so you can read the claims — anyone can do this without any secret. Verifying checks that the signature was produced with a specific secret or private key, which proves the token hasn't been tampered with.
HMAC (HS256, HS384, HS512) using a shared secret, and RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) using a PEM-formatted public key.
The tool checks the standard `exp` claim against your current system time. If `exp` is in the past, the token is flagged as expired regardless of whether its signature is valid.
Verification only requires the corresponding public key, not the private key. Paste the PEM-formatted public key (`-----BEGIN PUBLIC KEY-----`) into the key field.