JWT Decoder & Verifier

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It is the most common way to represent authentication and authorization claims between services — particularly in OAuth 2.0, OpenID Connect, and API gateways.

A JWT consists of three base64url-encoded parts separated by dots: header.payload.signature. The header declares the signing algorithm (e.g. HS256, RS256), the payload carries claims (subject, issuer, expiry, custom data), and the signature proves the token was issued by a holder of the secret or private key.

This decoder runs entirely in your browser using the Web Crypto API. Your JWT and any secret you paste never leave your machine — there are no network requests for decoding or verification.

Standard Claims

• iss — issuer of the token
• sub — subject (usually the user ID)
• aud — intended audience
• exp — expiration time (Unix seconds). Reject if past.
• nbf — not-before time. Reject if future.
• iat — issued-at time
• jti — unique token ID (for revocation lists)

Common Algorithms

• HS256 / HS384 / HS512 — HMAC with a shared secret. Both signer and verifier hold the same key.
• RS256 / RS384 / RS512 — RSA signature. Signer holds the private key; anyone with the public key can verify.
• ES256 / ES384 / ES512 — ECDSA signature, smaller and faster than RSA.
• none — unsigned. Always reject this in production — historic source of authentication bypass bugs.

Security Notes

• JWTs are not encrypted — never put secrets, passwords, or PII in the payload.
• Always verify the signature server-side before trusting any claim.
• Pin the expected algorithm; do not let the token's alg header dictate verification (algorithm confusion attacks).
• Validate exp, nbf, iss, and aud on every request.