Browser tool · Token never sent
JWT decoder and generator
Paste any JWT to decode its header and payload, check expiry status, and inspect claims. Or generate a signed token using HS256, HS384, or HS512 directly in your browser.
HeaderPayloadSignature
Paste a JWT token above to decode it
Frequently asked questions
Does this tool send my JWT to a server?
No. The JWT decoder and generator run entirely in your browser. Your token string never leaves your device — no network requests are made when you paste, decode, or generate a token. This makes it safe to use with real tokens from development and staging environments.
What is the difference between HS256 and RS256?
HS256 (HMAC SHA-256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. RS256 (RSA SHA-256) is asymmetric — a private key signs the token and a separate public key verifies it. HS256 is simpler and works well for single-server setups. RS256 is better when multiple services need to verify tokens independently, since you can share the public key without exposing the signing secret.
What should I never store in a JWT payload?
Never store passwords, credit card numbers, social security numbers, or any other sensitive data in a JWT payload. The payload is Base64URL-encoded, not encrypted — anyone who has the token can decode and read the payload. JWTs are designed for authenticated identity claims (user ID, roles, email) not for storing sensitive information.
How do I verify a JWT signature server-side in Node.js?
Use the jsonwebtoken package: import jwt from "jsonwebtoken" and call jwt.verify(token, secret). This throws if the token is expired, tampered with, or signed with a different key — and returns the decoded payload if valid. Always verify server-side before trusting any claims in the payload. Never trust a decoded JWT that was sent from a client without verification.
How JWT tokens work
A JWT (JSON Web Token) is a compact, URL-safe string with three Base64URL-encoded parts separated by dots: header, payload, and signature.
The header describes the algorithm used to sign the token (e.g. HS256, RS256). The payload contains the claims — typically a user ID, email, roles, and an expiry timestamp (exp). The signature is a cryptographic hash that proves the token was issued by a trusted party and the payload has not been tampered with.
Common standard claims:
subSubject — the user or entity the token represents (usually a user ID)issIssuer — who created the token (your auth server URL)audAudience — the intended recipient serviceexpExpiry — Unix timestamp after which the token is invalidiatIssued at — Unix timestamp when the token was createdjtiJWT ID — a unique identifier to prevent token replay
Important: this tool decodes the token but does not verify the signature. Anyone with a JWT can read the header and payload. Sensitive data should never be stored unencrypted in JWT claims. Always verify the signature server-side before trusting any token content.
Need help implementing secure authentication in your product?
Talk to Codalyst about auth architecture