Codalyst Tech
Developer tools

Browser tool · Token never sent

JWT decoder and generator

Paste any JWT to decode its header and payload, check expiry status, and inspect claims. Or generate a signed token using HS256, HS384, or HS512 directly in your browser.

HeaderPayloadSignature

Paste a JWT token above to decode it

Frequently asked questions

Does this tool send my JWT to a server?

No. The JWT decoder and generator run entirely in your browser. Your token string never leaves your device — no network requests are made when you paste, decode, or generate a token. This makes it safe to use with real tokens from development and staging environments.

What is the difference between HS256 and RS256?

HS256 (HMAC SHA-256) is a symmetric algorithm — the same secret key is used to both sign and verify the token. RS256 (RSA SHA-256) is asymmetric — a private key signs the token and a separate public key verifies it. HS256 is simpler and works well for single-server setups. RS256 is better when multiple services need to verify tokens independently, since you can share the public key without exposing the signing secret.

What should I never store in a JWT payload?

Never store passwords, credit card numbers, social security numbers, or any other sensitive data in a JWT payload. The payload is Base64URL-encoded, not encrypted — anyone who has the token can decode and read the payload. JWTs are designed for authenticated identity claims (user ID, roles, email) not for storing sensitive information.

How do I verify a JWT signature server-side in Node.js?

Use the jsonwebtoken package: import jwt from "jsonwebtoken" and call jwt.verify(token, secret). This throws if the token is expired, tampered with, or signed with a different key — and returns the decoded payload if valid. Always verify server-side before trusting any claims in the payload. Never trust a decoded JWT that was sent from a client without verification.

How JWT tokens work

A JWT (JSON Web Token) is a compact, URL-safe string with three Base64URL-encoded parts separated by dots: header, payload, and signature.

The header describes the algorithm used to sign the token (e.g. HS256, RS256). The payload contains the claims — typically a user ID, email, roles, and an expiry timestamp (exp). The signature is a cryptographic hash that proves the token was issued by a trusted party and the payload has not been tampered with.

Common standard claims:

  • subSubject — the user or entity the token represents (usually a user ID)
  • issIssuer — who created the token (your auth server URL)
  • audAudience — the intended recipient service
  • expExpiry — Unix timestamp after which the token is invalid
  • iatIssued at — Unix timestamp when the token was created
  • jtiJWT ID — a unique identifier to prevent token replay

Important: this tool decodes the token but does not verify the signature. Anyone with a JWT can read the header and payload. Sensitive data should never be stored unencrypted in JWT claims. Always verify the signature server-side before trusting any token content.

Need help implementing secure authentication in your product?

Talk to Codalyst about auth architecture