Free online tool
Free Online JWT Decoder & Verifier
Decode and verify JWT tokens in your browser. Inspect header and payload, see human-readable countdowns for exp/iat/nbf claims, and verify HMAC signatures (HS256/HS384/HS512) with your own secret. 100% client-side — tokens and secrets never leave your browser.
Paste the shared secret. Verification runs entirely in your browser via Web Crypto — the secret never leaves the page.
01How it works
Paste your JWT
Paste the full three-segment JWT token into the input box. The header and payload decode instantly — no button click needed.
Inspect header, payload, and claims
The decoder pretty-prints the header and payload as JSON and highlights time-sensitive claims (exp, iat, nbf, auth_time) with human-readable local timestamps and live countdowns.
Verify the signature (optional)
Paste the shared secret in the verify box to check HMAC signatures (HS256/HS384/HS512) via native Web Crypto. The result updates live as you type — green for valid, red for invalid, amber for unsupported algorithms.
FAQ
Frequently asked questions
Are my tokens or secrets uploaded anywhere?
No. Everything runs in your browser via native Web Crypto. The JWT you paste, the secret you enter for verification, and the decoded output never leave the page — no network requests, no telemetry, no storage. You can confirm this in DevTools → Network tab while the tool runs.
Can this tool verify the JWT signature?
Yes — HMAC algorithms (HS256, HS384, HS512) are supported via the native Web Crypto API. Paste your shared secret in the verify box and the result updates live as you type. For RSA (RS256/RS384/RS512) or ECDSA (ES256/ES384/ES512) tokens the payload is still decoded but signature verification is not supported yet — use a dedicated JWT library for those.
How do the exp/iat/nbf countdowns work?
The exp (expires), iat (issued at), nbf (not before), and auth_time claims are rendered as human-readable local dates plus a live countdown like 'expires in 2h 14m' or 'expired 3d ago'. The countdown ticks every 30 seconds so the relative time stays accurate while you work.
What does a valid signature actually prove?
A valid signature proves the token was issued by someone who knows the shared secret — it does NOT prove the claims themselves are true, check the iss/aud/exp fields yourself. This tool only verifies the cryptographic signature; it does not enforce claim-level policies. Always combine signature verification with your own claim validation in production.
Need AI-powered document extraction?
This tool uses client-side processing. anyrow uses AI to extract structured data from PDFs, images, and scanned documents with 99% accuracy. 150 free extractions/month — no credit card required.