JWT

JWT Decoder and Generator

Decode JWT headers, payloads, and signatures locally in the browser, generate HS256, HS384, HS512, or debug-only none tokens, and learn JWT structure, signing, and common use cases.

Decode JWT

Verification secret

Header-

Payload-

Signature-

Header

Payload

Claim	Value	Note

Generate JWT

Algorithm Signing secret

Header

Payload

JWT Basics

Structure

JWT = Base64URL(Header) + "." + Base64URL(Payload) + "." + Base64URL(Signature)

The header describes type and algorithm, the payload stores claims, and the signature proves the first two parts were not tampered with.

Signature

HS256: HMAC-SHA256(base64url(header) + "." + base64url(payload), secret)

HS384 and HS512 use SHA-384 and SHA-512. RS256/ES256 need private-key signing and public-key verification; this tool focuses on local browser HMAC debugging.

Common claims

iss: issuer；sub: subject；aud: audience；exp: expires at；nbf: not before；iat: issued at；jti: token id。

exp, nbf, and iat are usually Unix timestamps in seconds.

Use cases

JWTs are commonly used for SPA login sessions, API Bearer tokens, short-lived service-to-service authorization, and identity claim transfer in SSO.

Security notes

JWT is encoded and signed, not encrypted. Anyone can decode the payload, so do not store passwords, secrets, national IDs, or other sensitive data. Production systems must validate alg, signature, exp, nbf, iss, aud, and use strong secrets.

Bearer usage

Authorization: Bearer <jwt>

Clients usually send the token in the Authorization header; servers trust identity data only after verifying the signature and claims.