Encoded Token
Decoded Header
{
"alg": "HS256",
"typ": "JWT"
}Decoded Payload
{
"iss": "devtoolbox.app",
"sub": "devtoolbox",
"name": "DevToolbox",
"tagline": "Privacy-first developer utilities, 100% client-side",
"tools": [
"json-formatter",
"jwt-decoder",
"base64",
"regex-tester",
"color-converter"
],
"role": "developer",
"iat": 1730864000 // Nov 6, 2024, 3:33 AM (2 years ago),
"exp": 1730950400 // Nov 7, 2024, 3:33 AM (2 years ago)
}JWT Signature Verification
Algorithm HS256 — enter the key used to sign the JWT below.
Verify with a JWKS endpoint or JSON instead
Verify in your language
Show code snippets for HS256
import jwt from "jsonwebtoken";
const decoded = jwt.verify(token, process.env.JWT_SECRET, {
algorithms: ["HS256"],
});
console.log(decoded);Paste any JSON Web Token and instantly see its header, payload, and signature, with all standard claims (iss, sub, aud, exp, iat, nbf) decoded and interpreted in human-readable form. HMAC-SHA256 signatures can be verified against a shared secret directly in the browser — no token contents ever leave your device.
Common use cases
- Debugging auth flows. Decode the token your auth provider hands back to your app to verify the claims match what you expect — roles, scopes, expiry. Catches misconfigured issuers and wrong audience values quickly.
- Checking token expiry mid-incident. Paste a token from production logs to confirm whether `exp` has passed. The decoded view shows the absolute timestamp and relative time-to-expiry.
- Verifying HS256 signatures. When you have access to the signing secret, paste both and confirm the token's signature is valid. Useful for diagnosing signature drift between issuer and verifier.
- Learning JWT structure. Hover over each claim in the decoded view to see what it means. Useful for understanding what your auth provider is actually putting in the token.
Frequently asked
Does the decoder send my token anywhere?
No. Decoding and signature verification both run entirely in your browser. The tool makes no network requests with token contents. Safe for production tokens — never decode a real token on a server you don't control.
What does 'signature invalid' mean?
Either the secret is wrong, the token was tampered with, or the algorithm used to sign it differs from what you're verifying against. The decoder shows the alg from the header — check it matches what your verifier expects.
Can I verify RS256 / ES256 tokens?
Currently only HS256 (symmetric / shared secret) verification is supported. RS256 / ES256 use asymmetric key pairs and require fetching the issuer's public key from a JWKS endpoint — that's planned but not shipped yet.
Why is the `iat` value a giant number?
JWT timestamps (`iat`, `exp`, `nbf`) are Unix epoch seconds — seconds since 1970-01-01 UTC. The decoded view converts them to readable date-time format alongside the raw number.
What if the token has no signature segment?
It's an `alg: none` JWT — explicitly unsigned. These should never be accepted from untrusted sources; the spec allows them but most production systems reject them by default.
Can I generate a new JWT?
Yes — the Encode panel takes a header + payload + secret and produces a signed token. Useful for testing your verifier against known-good inputs.