A JSON Web Token (JWT) is a compact token format that contains claims and an optional signature.

Is verification done locally?

Yes. Decoding and HMAC verification (HS256/384/512) run fully in your browser.

Is it safe to paste my token?

We process everything client-side; however, never share secrets or private data with third parties.

Decode, verify (HS256/384/512), and generate JWT tokens — all in your browser, no upload.

JWT Token

Secret (for HMAC verification)

Status: Idle

Common Claims

Issued At (iat): —

Expires (exp): —

Not Before (nbf): —

Subject (sub): —

Issuer (iss): —

Audience (aud): —

Header

Payload

Signature Algorithm: N/A Verified: N/A

Header (JSON)

{ "alg":"HS256", "typ":"JWT" }

Algorithm

Secret (for HMAC verification)

Status: Idle

Payload (JSON)

{ "sub":"1234567890", "name":"John Doe", "iat": 1516239022 }

Result Token

Keep your secrets safe. Do not share tokens that contain sensitive data.

1. Paste a JWT token into the JWT Token field.
2. Click Decode to view header & payload as JSON.
3. To verify, enter the shared secret and click Verify — supported: HS256, HS384, HS512.
4. Use Encode / Generate to create a token: edit header & payload JSON, choose algorithm and (if HMAC) provide secret.
5. Copy or download the result token. Avoid sharing secrets or private data.

Pro Tip: For production security, avoid HS with weak secrets. Consider asymmetric algorithms (e.g., RS256) and proper key management.