TECHWHACK
Live
Chrome ships native AI tab groups We tested 60 extensions — kept 14 Pluto TV adds 40 free channels The only password manager worth paying for Chrome ships native AI tab groups We tested 60 extensions — kept 14 Pluto TV adds 40 free channels The only password manager worth paying for

JWT Decoder and Verifier

Decode header, payload & claims — live expiry countdown, readable dates, HS256 verify. Nothing sent.

Stays on your device. This tool runs in your browser — nothing you paste or open ever leaves it. Nothing uploaded, nothing to leak.

JSON Web Token
Run the tool first — there’s no result to send yet.

How to decode a JWT

Paste your token (the long header.payload.signature string). The header and payload are decoded instantly, the standard time claims are shown as human dates, and if the token has an expiry you get a live countdown — green if valid, red once it lapses. To check the signature, switch on Verify and paste your HS256 secret.

JWT Decoder — TechWhack Score

9.8/10
  • Privacy 10/10

    Your token is decoded in the browser and never sent anywhere.

  • Speed 10/10

    Decodes the instant you paste — no round trip.

  • Features 9/10

    Beyond a static decode: readable iat/exp/nbf dates, a live countdown to expiry, and HS256 signature verification against your secret.

  • Free 10/10

    No sign-up, no account, no daily limit.

Verdict: A JWT decoder that actually tells you when the token expires and whether the signature checks out — not just what’s inside it.

Help us improve Was this tool useful? Tap a star. Thanks — your rating helps others find it.
Be the first to rate
Related Base64 Encode / Decode JSON Formatter Hash Generator
Embed this tool on your site
<iframe src="https://techwhack.com/tools/dev/jwt-decoder/embed" width="100%" height="440" frameborder="0" loading="lazy"></iframe> <!-- Powered by TechWhack -->
A JWT decoder splits a JSON Web Token into its header, payload and signature and shows you what is inside. TechWhack also turns the timestamp claims (iat, exp, nbf) into readable dates, runs a live countdown to expiry, and can verify an HS256 signature against your secret — all in your browser, so your token is never sent anywhere.

A decoder is not a vault

A JWT payload is only Base64-encoded, not encrypted — anyone can read it, so never put secrets in a token. Decoding here happens entirely on your device; your token and secret never leave the browser. Verifying only confirms the signature is authentic; it does not make the contents private.

FAQ

Is a JWT encrypted or just encoded?A standard JWT is Base64URL-encoded, not encrypted, so anyone holding the token can read its header and payload. Never put passwords or secrets in the claims; the signature only proves the token was not altered, it does not hide the contents.
What is the difference between decoding and verifying a JWT?Decoding just Base64-decodes the header and payload into readable JSON, which anyone can do without a key. Verifying checks the signature with the secret or public key to confirm the token is authentic and untampered; always verify before trusting claims.
How do I tell if a JWT is expired?The exp claim holds the expiry as a Unix timestamp, which is converted here into a readable date with a live countdown. The iat (issued at) and nbf (not before) claims are decoded the same way so you can see the full validity window.
Can it check whether the signature is valid?Yes, for HS256 tokens you can paste your secret and it verifies the signature against the header and payload. This confirms the token has not been modified, separate from simply reading the claims.
Is it safe to paste a real production token here?The token is decoded entirely in your browser and never sent anywhere, so it does not leave your device. The bigger caution is that a JWT payload is readable by anyone who has the token, so treat the token itself as a secret.

Forgot?
New here? Create an account Already have an account? Sign in