The JWT decoder & verifier helps you inspect token metadata, decode claims, and validate HMAC signatures before shipping auth changes. It is optimized for fast troubleshooting with copy-ready JSON outputs.
Inspect third-party tokens
Decode headers and claims before integrating upstream auth providers.
Debug local auth bugs
Verify HS signatures with your secret and confirm `exp`/`nbf` windows quickly.
Share sanitized token context
Copy decoded JSON blocks into tickets without hand-writing claim maps.
Quick start
- Paste a JWT in compact format (`header.payload.signature`).
- Optional: add your shared secret and keep “Verify signature” enabled.
- Submit to decode header/payload JSON and inspect claim timing.
- Copy decoded JSON or signature metadata for debugging notes.
Supported inputs
- Accepts compact JWTs with three Base64URL segments.
- Signature verification supports HMAC algorithms: HS256, HS384, HS512.
- `iat`, `nbf`, and `exp` claims are normalized as Unix seconds for status checks.
Decode walkthrough
- Paste the token exactly as issued (omit `Bearer ` prefixes when possible).
- Run decode to view normalized header and payload JSON output.
- Review algorithm, signing input, and raw signature before verification.
Verification notes
- Provide the shared secret for HMAC tokens.
- Use the verification status card to confirm whether the signature matches.
- If verification fails, compare `alg`, secret source, and token freshness.
Field notes / Pro tips
- Never paste production secrets into external tools; keep verification local.
- Treat decoded payloads as sensitive data and redact user claims before sharing.
- Expired tokens can still verify cryptographically; check both signature and time claims.
- Browse the documentation hub for related data tools and token utilities.
Continue from this guide into the documentation hub or jump back to the live JWT decoder & verifier tool from the hero metadata link.