A JWT decoder, verifier and reference for developers
AG JWT Decoder is a free developer tool that decodes JSON Web Tokens (JWT) instantly in your browser and verifies their signatures — no signup, no installation.
Paste a token and its three parts — header, payload and signature — are base64url decoded, color-coded and shown as formatted JSON, each copyable in one click. For HMAC (HS256/384/512) tokens, enter the secret to verify the signature too.
Registered claims such as exp, nbf and iat are expanded into human-readable local time and relative time, and a status banner tells you whether the token is expired. It also provides an algorithm and claim reference and concept guides to help you understand JWT more deeply.
All processing happens only in your browser, and no token or secret you paste is ever sent to or stored on a server. Because a JWT payload is not encrypted, never put sensitive data in it.
No. Decoding and HMAC verification happen entirely in your browser, and no token or secret is ever sent to or stored on any server.
It verifies the HMAC family (HS256/384/512) with just your secret, using the browser's Web Crypto. Asymmetric signatures like RS, ES, PS and EdDSA need a public key, so this tool only decodes them.
No. A JWT payload is only base64url encoded, not encrypted, so anyone can decode it. Never store secrets such as passwords or API keys inside it.
Time-based registered claims are Unix timestamps in seconds since January 1, 1970. This tool shows them in your local time and as relative time (e.g. in 3 days).