JWT decoder & verifier documentation

Decode JWT headers and claims, verify HMAC signatures, and inspect expiration windows.

Open tool

Overview

Use it when the format needs to change, not the meaning

Use the decoder when a compact token needs to be inspected, verified, or shared as readable JSON.

Third-party token review

Inspect claims before wiring a provider into your workflow.

Auth debugging

Check whether the token still verifies with the shared secret.

Safe handoffs

Copy decoded header and payload data into tickets without retyping it.

Supported inputs

Bring clean source text and keep the direction straight

  • Accepts compact JWTs with three Base64URL segments.
  • HMAC verification supports HS256, HS384, and HS512.
  • Time claims such as `exp`, `nbf`, and `iat` are shown as Unix seconds.

Walk through it

Follow the same sequence you see in the tool

Workflow

Decode a token

Use this path when you need to inspect the header and payload.

  1. Paste the JWT in compact form.
  2. Run the decoder to show the header and payload as readable JSON.
  3. Review the claims before you share or copy anything.

Workflow

Verify a signature

Use this path when you have the shared secret and want to confirm authenticity.

  1. Enter the shared secret if the token uses HMAC signing.
  2. Run verification against the same compact token.
  3. Check the signature status and compare the algorithm before trusting the claims.

What you get

Check the result before you copy it into the next step

Decoded header

The header shows the token algorithm and related metadata.

Decoded payload

The payload shows claims in readable JSON so you can review them quickly.

Verification status

The signature result tells you whether the shared secret matched.

Avoid these mistakes

Small input problems create the biggest conversion errors

Bearer prefix left in place

Paste the compact token itself instead of the full authorization header.

Wrong shared secret

A valid decode can still fail verification if the secret does not match.

Decoded claims treated as trusted

Check verification before you rely on any claim values.

Glossary

Decode the terms before you act on them

This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.

JWT

JWT stands for JSON Web Token. It is a compact string format that carries header, payload, and signature data.

Claim

A claim is one field inside the token payload, such as a subject, audience, role, or expiration time.

HMAC

HMAC is a shared-secret signing method. Verification only succeeds when both sides use the same secret and algorithm.

exp

`exp` is the expiration claim. It tells clients and servers when the token should stop being accepted.

nbf

`nbf` stands for not before. It means the token should not be treated as valid before that time.

iat

`iat` stands for issued at. It records when the token was created.

Need a different utility? Browse the documentation hub for the rest of the published guides.
Last updated March 23, 2026