JWT Decoder & Claims Inspector Guide
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact, self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs consist of three parts: a header (specifying the signing algorithm), a payload (containing the claims/user data), and a signature (used to verify validity). This utility decodes JWTs client-side, parses standard claims, and verifies HMAC signatures in the browser.
⚙️ Key Features
- Decodes JWT tokens client-side, displaying header and payload JSON structures.
- Parses standard claims (expiration, issued at, audience) into readable local date and times.
- Cryptographically verifies HMAC signatures (HS256, HS384, HS512) using browser-native Web Crypto API.
- Displays visual warning banners for expired or invalid tokens.
📖 How to Use
- Paste your JWT token string into the token input box.
- The tool will instantly decode the token and display the parsed header and payload.
- Review the Claims summary panel to see dates like Expiration and Issued At.
- To verify the signature, enter your HMAC secret key in the verification panel.
Decoding, parsing, and cryptographic signature validations are performed client-side. No tokens or keys are ever uploaded or transmitted.
Frequently Asked Questions (FAQ)
Is it safe to paste my JWT token into this website?
Yes, this tool decodes the token entirely in your browser using JavaScript. No token details or secret keys are sent to a server. You can verify this by inspecting the network tab or running the page offline.
What does the expiration claim (exp) mean?
The `exp` claim specifies the expiration time on or after which the JWT must not be accepted for processing. It is represented as a Unix epoch timestamp in seconds.
Can a client-side decoder verify RSA or ECDSA signatures?
Decoders can parse and display tokens signed with RSA or ECDSA. However, cryptographically verifying these signatures requires the corresponding public keys (often fetched via JWKS endpoints), which is not supported in simple HMAC verification inputs.