Paste a token. See everything. Nothing leaves your browser.
Paste a JWT above to decode it
Header, payload, claims, expiry, all decoded instantly. 100% client-side. Zero network requests.
A JSON Web Token is a compact token format: header.payload.signature. The header declares the algorithm, the payload carries claims (user data, permissions, expiry), and the signature verifies authenticity. Used everywhere for auth.
Yes. This runs 100% in your browser. Open DevTools โ Network tab and verify: zero outbound requests. Your token never touches a server.
HS256 = symmetric (shared secret). RS256 = asymmetric (public/private key pair). RS256 is more secure for production. The verifier only needs the public key, so the signing key can stay private.
The "exp" claim is a Unix timestamp. If it's in the past, the token is expired. Tokens are intentionally short-lived (minutes to hours) for security. Your backend issues fresh ones.