JWT Tool

About JWT Encode & Decode Tool

The JWT (JSON Web Token) tool lets you encode, decode, and inspect JWT tokens in your browser. View the header, payload, and signature of any JWT, create new signed tokens for testing authentication flows, and verify token signatures against secret keys or public keys — all without any server communication. This is an essential tool for developers working with OAuth 2.0, OpenID Connect, or any token-based authentication system.

Understanding JWT Structure

A JWT consists of three Base64URL-encoded parts separated by dots: the Header (specifying the signing algorithm and token type), the Payload (containing claims like subject, issuer, expiration, and custom data), and the Signature (proving the token hasn't been tampered with). The header and payload are not encrypted — they are simply Base64-encoded, meaning anyone can read them. The signature ensures integrity: if any part of the token is modified, the signature verification will fail.

Key Features

• Instant decode — paste any JWT token to instantly see its decoded header and payload in readable, formatted JSON.
• JWT encoding — create new JWT tokens by specifying custom header and payload claims with your signing secret or private key.
• Algorithm support — supports HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA), and ES256, ES384, ES512 (ECDSA).
• Expiration detection — automatically highlights expired tokens by reading the exp claim and comparing to current time.
• Signature verification — verify the token signature against a shared secret (HMAC) or public key (RSA/ECDSA).
• Claim inspection — view standard claims (iss, sub, aud, exp, iat) and custom claims.

How to Use

1. Decode — paste a JWT token into the input field. The header and payload are decoded and displayed instantly with syntax highlighting.
2. Encode — switch to encode mode, enter your claims as JSON, provide a signing secret or private key, select the algorithm, and generate a signed JWT.
3. Verify — provide the secret or public key to verify the token's signature integrity.
4. Copy — copy the decoded claims, encoded token, or verification result to your clipboard.

Standard JWT Claims Explained

• iss (Issuer) — identifies who created and signed the token (e.g., your authentication server URL).
• sub (Subject) — identifies the user or entity the token represents (e.g., user ID).
• aud (Audience) — identifies the intended recipient(s) of the token (e.g., API server URL).
• exp (Expiration) — Unix timestamp after which the token is no longer valid.
• iat (Issued At) — Unix timestamp indicating when the token was created.
• nbf (Not Before) — Unix timestamp before which the token is not valid.

Real-World Use Cases

• Debugging authentication issues by decoding access tokens or ID tokens from OAuth 2.0 / OpenID Connect flows.
• Creating test JWT tokens with specific claims for API development and integration testing.
• Verifying token expiration and claim values before submitting tokens to protected API endpoints.
• Inspecting third-party tokens from identity providers (Auth0, Azure AD, Okta, Cognito) to verify claim structure.
• Learning about JWT structure, signing algorithms, and token security in a hands-on environment.