JWT Decoder & Token Generator
Decode, verify, and generate JSON Web Tokens (JWT) instantly entirely within your browser. Prevent data leaks by using our 100% client-side Web Crypto API implementation—your tokens and secret keys never leave your device.
100% Private & Secure
This tool runs completely inside your browser using client-side WebAssembly and JS. Zero data is ever sent to our servers.
JWT Encoder & Decoder
100% Client-Side. Your tokens never leave your browser.
How to use this tool
- Paste your encoded JSON Web Token (JWT) into the left pane to decode it instantly.
- The Header and Payload will automatically unfold in the right editor panes as formatted JSON.
- To verify the signature, enter your 256-bit HS256 secret key in the verification box.
- To use as a Generator/Encoder: Simply modify the decoded JSON. The encoded JWT in the left pane will rebuild and re-sign in real-time.
Example Usage
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "1234567890", "name": "John Doe", "iat": 1516239022 }When to use this tool
- Backend Debugging: Safely parsing JWTs issued by Auth0, Firebase, or Supabase during local API development.
- Token Forging (Pen-Testing): Modifying the 'sub' or 'roles' claims to test your backend's zero-trust authorization logic.
- Security Auditing: Ensuring your application isn't leaking PII (Personally Identifiable Information) inside unencrypted JWT payloads.
- Client-Side Simulation: Generating valid JWTs for frontend state testing without mocking a full authentication backend.
Frequently Asked Questions
Is this JWT Decoder safe to use?
Yes, it is fundamentally safer than server-side decoders. The parsing and HMCA-SHA256 signature generation are done using your browser's native Web Crypto API. No network requests are made, and your secret keys never touch our servers.
Can I use this as a JWT Encoder or Generator?
Absolutely. When you edit the JSON in the Header or Payload boxes, the left panel automatically regenerates the base64url-encoded token array. If you provide a secret, it will properly secure it with a new cryptographic signature.
What is the difference between JWT and OAuth?
OAuth is an authorization framework (the protocol for exchanging credentials), whereas JWT is a specific, stateless token format. An OAuth server will often grant a JWT to a client to be used as a Bearer Token.
Why is 'audiences in jwt are not allowed' happening?
If you see audience (aud) errors, it means the API explicitly requires the JWT to declare who it is intended for, and yours doesn't match. You can use our tool to manually inject an 'aud' claim into the payload and re-sign it to test this behavior.
Built by Developers, For Developers
DevToolsLabs is engineered by a team of full-stack developers who were tired of spammy, ad-filled, server-side tools parsing our sensitive data. Every utility on this site is rigorously tested, strictly client-side (your data never leaves your browser), and built to solve real-world software engineering challenges.