Does this JWT inspector verify the token signature?

No. This tool decodes the token header and payload for inspection. It does not validate the signature or confirm that the token was issued by a trusted source.

Can this tool create a signed JWT?

Yes. The encoder can generate JWTs using HMAC algorithms such as HS256, HS384, and HS512 when you provide a secret. It can also create unsigned tokens when the header alg is set to none.

What parts of a JWT does this tool show?

It shows the decoded header and payload, plus common summary fields such as algorithm, issuer, subject, audience, and time-based claims when they are present.

Can I inspect expired JWTs?

Yes. Even an expired token can still be decoded and inspected. The decoded payload helps you review the exp, iat, and nbf claims when debugging auth issues.

Should I paste production secrets into a JWT tool?

Only if you trust the tool and your environment. This app runs in the browser, but sensitive tokens should still be handled carefully and only when necessary.

Private by defaultRuns in your browser

JWT encoder / decoder

Decode JWT headers and payloads, inspect common claims, and create signed or unsigned tokens with custom header, payload, and secret input.

JWT inputPaste header.payload.signature

Valid JWT structureHeader and payload decoded successfully. Signature presence is shown in the summary.

JWT summaryDecoded token overview

Algorithm: HS256
Type: JWT
Subject: 1234567890
Issued at: 2024-04-05T10:40:00.000Z (Fri, 05 Apr 2024 10:40:00 GMT)
Expires at: 2024-04-05T11:40:00.000Z (Fri, 05 Apr 2024 11:40:00 GMT)
Signature: Present

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "role": "admin",
  "iat": 1712313600,
  "exp": 1712317200
}

JWT Encode/Decode

About this tool

Decode any JWT to inspect its header, payload, and claims — or encode signed/unsigned tokens. Runs entirely in your browser, no token ever uploaded.

Decode JWT headers and payloads, inspect common claims, and create signed or unsigned tokens with custom header, payload, and secret input.

No signup requiredRuns in your browserInstant results

How to use

1
Paste a JWT token (the three-part dot-separated string) into the input field.
2
The tool instantly decodes and displays the header, payload, and signature in separate panels.
3
Check the payload for claims like exp (expiry), sub (subject), and iss (issuer).
4
Note: this tool decodes — it does not verify the signature. Never trust a JWT without server-side verification.

Why use this tool?

→
Inspect copied bearer tokens from API requests, logs, or auth middleware.
→
Decode header and payload claims without sending the token to a server.
→
Review issued-at and expiry claims when debugging session problems.

ExamplesInput → output

Decode a JWT header

InputeyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9

Output{"alg":"HS256","typ":"JWT"}

Decode a JWT payload

InputeyJzdWIiOiJ1c2VyXzEyMyIsImlhdCI6MTcwMDAwMDAwMCwiZXhwIjoxNzAwMDM2MDAwfQ

Output{"sub":"user_123","iat":1700000000,"exp":1700036000}

Frequently asked questionsCommon questions answered

These answers explain common jwt encode/decode tasks, expected input formats, and edge cases so both visitors and search engines can understand what this tool does.

Does this JWT inspector verify the token signature?: No. This tool decodes the token header and payload for inspection. It does not validate the signature or confirm that the token was issued by a trusted source.
Can this tool create a signed JWT?: Yes. The encoder can generate JWTs using HMAC algorithms such as HS256, HS384, and HS512 when you provide a secret. It can also create unsigned tokens when the header alg is set to none.
What parts of a JWT does this tool show?: It shows the decoded header and payload, plus common summary fields such as algorithm, issuer, subject, audience, and time-based claims when they are present.
Can I inspect expired JWTs?: Yes. Even an expired token can still be decoded and inspected. The decoded payload helps you review the exp, iat, and nbf claims when debugging auth issues.
Should I paste production secrets into a JWT tool?: Only if you trust the tool and your environment. This app runs in the browser, but sensitive tokens should still be handled carefully and only when necessary.

Code examplesUse this tool in your code

The jsonwebtoken package is the standard Node.js JWT library. Use jwt.sign to create tokens and jwt.verify to validate them.

JavaScript / Node.jsNode.js

// npm install jsonwebtoken
const jwt = require("jsonwebtoken");

const secret = "my-secret-key";
const payload = { userId: 42, name: "Alice", role: "admin" };

// Sign (encode) — HS256 is the default algorithm
const token = jwt.sign(payload, secret, { expiresIn: "1h" });
console.log(token);
// eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...

// Verify and decode
try {
  const decoded = jwt.verify(token, secret);
  console.log(decoded);
  // { userId: 42, name: 'Alice', role: 'admin', iat: ..., exp: ... }
} catch (err) {
  if (err.name === "TokenExpiredError") console.error("Token expired");
  else console.error("Invalid token:", err.message);
}

// Decode without verifying (inspect header/payload only)
const unverified = jwt.decode(token, { complete: true });
console.log(unverified.header); // { alg: 'HS256', typ: 'JWT' }
console.log(unverified.payload);

See full JavaScript / Node.js examples →

Use jwt encode/decode in:JavaScript / Node.js Python Go Java PHP Ruby Rust C# / .NET