JWT Decoder Pro — Advanced Token Analysis
Decode and verify JSON Web Tokens with signature verification (HMAC & RSA), expiry checking, and claims extraction. Supports HS256, HS512, RS256, and RS512. No signup required.
How to Use JWT Decoder Pro
- 1Paste your JWT token into the "JWT Token" field. It should be a string with three parts separated by dots:
header.payload.signature. - 2Choose a verification method: "No Verification" to just decode, or select an algorithm (HS256, HS512, RS256, RS512) to verify the signature.
- 3If verifying, provide either the secret key (for HMAC algorithms) or public key (for RSA algorithms). The tool will verify the signature and report valid/invalid.
- 4Review the decoded information: header, payload, signature, expiry status, claims, and token age. Copy any section using the "Copy" button.
JWT Decoder Pro Features
The JWT Decoder Pro goes beyond basic decoding to provide comprehensive token analysis and verification tools for developers and security teams.
Key Features
Signature Verification
Verify HMAC (HS256, HS512) and RSA (RS256, RS512) signatures to ensure tokens haven't been tampered with. Requires the secret or public key used to sign the token.
Expiry Analysis
Check whether a token is still active or has expired. See exactly when it was issued and how much time remains before expiration. Essential for managing session validity.
Claims Extraction
Automatically extract and display standard JWT claims (subject, issuer, audience, not-before) plus all custom claims in the payload. Useful for understanding what permissions a token grants.
Token Debugging
View the raw header, payload, and signature sections in formatted JSON. Quickly diagnose authentication issues or inspect token contents during development.
Multiple Algorithms
Support for four signature algorithms: HMAC SHA-256, HMAC SHA-512, RSA SHA-256, and RSA SHA-512. Choose the algorithm that matches your token's header.
One-Click Copy
Easily copy any section (header, payload, signature, or full claims) to your clipboard with a single click. Perfect for integrating data into other tools or APIs.
Common Use Cases
API Authentication Debugging
Developers use JWT Decoder Pro to inspect bearer tokens sent to APIs, verify they're valid, check expiry, and extract claims to debug authorization issues. No more opaque token strings in logs.
OAuth2 and OpenID Connect Inspection
OAuth2 flows rely on JWTs for access and ID tokens. Decode them to understand what scopes and claims your application receives from an authorization server.
Security Audits and Verification
Security teams verify JWT signatures to confirm tokens originate from trusted issuers and haven't been forged. Signature verification is critical before accepting a token.
Session Management
Web applications use JWTs for stateless session management. Decode tokens to check expiry, refresh timing, and user identity without querying a database.
Frequently Asked Questions
What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is a standard (RFC 7519) for securely transmitting information between parties. It consists of three parts separated by dots: header (algorithm and token type), payload (claims and data), and signature (verification). JWTs are commonly used for authentication and authorization in APIs and single-page applications (SPAs).
How do I use the signature verification?
The JWT Decoder Pro can verify signatures using HMAC (HS256, HS512) or RSA (RS256, RS512) algorithms. For HMAC, provide the secret key that was used to sign the token. For RSA, provide the public key in PEM format. The tool will compute the expected signature and compare it to the one in the token. A ✓ Valid badge means the signature is correct; ✗ Invalid means the token was tampered with or signed with a different key.
What is token expiry and why does it matter?
Token expiry is set via the "exp" claim in the JWT payload, representing the Unix timestamp when the token is no longer valid. Expiry ensures tokens cannot be used indefinitely—if compromised, an expired token cannot be reused. The tool shows whether a token is still active or has expired, how much time remains, and when it was originally issued. Always check expiry before using a token in production.
What are standard JWT claims?
Standard claims (defined in RFC 7519) include: "sub" (subject—who the token is for), "iss" (issuer—who created it), "aud" (audience—who should accept it), "exp" (expiration time), "iat" (issued at), "nbf" (not before). The tool displays all standard claims found in your token. Custom claims can also be included in the payload and are shown in the full payload JSON.
Why does the verification say "Invalid" even though I provided the correct secret?
This can happen for several reasons: (1) You used the wrong algorithm—make sure the algorithm you select matches the token's "alg" field in the header. (2) The secret is whitespace-sensitive—copy it carefully, especially for multi-line RSA keys. (3) For RSA, ensure you're using the public key, not the private key. (4) The token may have been modified or tampered with. Try copying the token directly from its source.
Can I decode a token without verifying the signature?
Yes. Select "No Verification" from the dropdown. The tool will decode and display the header, payload, and signature without verifying them. This is useful for inspecting a token's contents without a secret or public key. Note that anyone can decode a JWT without the secret (it's not encrypted), so decoding does not guarantee authenticity—only verification does.
What is the difference between HS256 and RS256?
HS256 (HMAC SHA-256) uses a shared secret key to sign and verify tokens—both the signer and verifier have the same secret. RS256 (RSA SHA-256) uses a private key to sign and a public key to verify—ideal for scenarios where many parties need to verify but only one issues tokens. Choose HS256 for simple applications; use RS256 for distributed systems where you want to scale verification.
Is my token sent to any server?
All decoding and verification happens on your device using server-side processing for signature verification. The token is never logged, stored, or transmitted to external services. You can safely decode and verify sensitive tokens, API keys, or authentication tokens without privacy concerns.