Question 1

What is a JWT token?

Accepted Answer

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It consists of three Base64URL-encoded parts — header, payload, and signature — separated by dots. JWTs are commonly used for authentication and information exchange in web applications.

Question 2

How do I decode a JWT without a library?

Accepted Answer

A JWT payload is simply Base64URL-encoded JSON. You can decode it in any browser using atob() after replacing URL-safe characters. Our tool does this instantly in your browser — no server, no library. The header and payload are readable even without the secret; only signature verification requires it.

Question 3

Is it safe to decode JWT tokens online?

Accepted Answer

Yes — decoding is safe. The header and payload of a JWT are not encrypted, only Base64URL-encoded, so decoding reveals no secret. However, never paste tokens that grant access to production systems into any online tool. For sensitive tokens, use our tool offline in a private browser window; all processing happens in your browser with no server calls.

Question 4

What is the difference between HS256 and RS256?

Accepted Answer

HS256 (HMAC SHA-256) uses a single shared secret for both signing and verifying — both parties must know the secret. RS256 (RSA SHA-256) uses a private key to sign and a public key to verify — the signer never shares the private key. HS256 is simpler; RS256 is better for distributed systems where multiple services need to verify tokens without signing them.

Question 5

How do I verify a JWT signature?

Accepted Answer

Paste your JWT token in the input field and enter your HMAC secret in the secret box. Our tool uses your browser's Web Crypto API (crypto.subtle) to verify the HMAC signature — the same algorithm used by production JWT libraries. If the signature is valid, you'll see a green "Signature Verified" badge; otherwise a red "Invalid Signature" badge.

JWT Decoder & Encoder

Decode, verify, and build JWT tokens — entirely in your browser

Paste a JWT to decode it

Related developer tools

Try These Examples

Basic User Token (HS256)

Expired Token

Admin Role Token (HS512)

What is a JSON Web Token?

Common Use Cases

Frequently Asked Questions

JWT Decoder & Encoder

Decode, verify, and build JWT tokens — entirely in your browser

Paste a JWT to decode it

Related developer tools

Try These Examples

Basic User Token (HS256)

Expired Token

Admin Role Token (HS512)

What is a JSON Web Token?

Common Use Cases

Frequently Asked Questions

1What is a JWT token?

2How do I decode a JWT without a library?

3Is it safe to decode JWT tokens online?

4What is the difference between HS256 and RS256?

5How do I verify a JWT signature?