EazyTools LogoEazyTools

JWT Encoder & Decoder

Decode, inspect, verify, and create JSON Web Tokens instantly in your browser.

Header
Payload
Signature

About JWT Encoder & Decoder

What is a JWT?
A JSON Web Token (JWT, pronounced "jot") is a compact, URL-safe string format for representing claims between two parties. It is defined by RFC 7519. A JWT has three Base64URL-encoded parts separated by dots: header.payload.signature. The header describes the signing algorithm; the payload holds the claims (user ID, roles, expiry, etc.); the signature proves the token was not tampered with (when using a shared secret or private key).

Why do developers use JWTs?
JWTs are widely used for stateless authentication and authorization in REST APIs, OAuth 2.0, and OpenID Connect. After a user logs in, the server issues a signed JWT; the client sends it on subsequent requests (usually in an Authorization: Bearer header). The server can verify the signature and read the claims without storing session state in a database.

How to use this tool:
Decode: Paste a JWT into the token field. The header and payload are decoded instantly. Optional: enter the HMAC secret to verify HS256 signatures. Timestamps like exp, iat, and nbf are shown in human-readable UTC time.
Encode: Switch to Encode mode, edit the header and payload JSON, choose HS256 or unsigned (none), provide a secret for HS256, and click Generate Token.
Click Load sample to try a demo token signed with the secret your-256-bit-secret.

Privacy & Security
All decoding, encoding, and signature verification runs entirely in your browser using the Web Crypto API. Your tokens and secrets are never uploaded to our servers. Never paste production secrets into untrusted websites — this tool is for debugging and learning.

Frequently Asked Questions

Is my JWT or secret sent to a server?

No. Every operation happens locally in your browser. We do not log, store, or transmit your tokens, headers, payloads, or signing secrets.

Can this tool verify RS256 or ES256 signatures?

You can decode any JWT and inspect its header and payload regardless of algorithm. Signature verification in this tool is limited to HS256 (HMAC with SHA-256) because RS256/ES256 require RSA or EC public keys that are impractical to handle safely in a simple browser UI. Use your backend SDK or openssl for asymmetric verification.

What is the difference between decoding and verifying?

Decoding only Base64URL-decodes the header and payload — anyone can read them. Verifying checks the cryptographic signature to confirm the token was issued by someone who holds the secret (HS256) or private key (RS256/ES256) and that the content has not been modified. Never trust a decoded JWT for authorization without verification.

What does alg: none mean?

The 'none' algorithm means the JWT is unsigned. It offers no integrity protection and must not be accepted by production systems. Some frameworks explicitly reject alg:none tokens. This tool can create unsigned tokens for testing only.

Why does my token show 'expired' for the exp claim?

The exp (expiration time) claim is a Unix timestamp in seconds. If the current time is past that value, the token is considered expired by spec-compliant validators — even if the signature is still cryptographically valid.

What is Base64URL and how is it different from Base64?

JWTs use Base64URL encoding: '+' becomes '-', '/' becomes '_', and padding '=' is omitted. This makes tokens safe to use in URLs and HTTP headers without extra escaping. Standard Base64 strings may fail to decode correctly if used directly as JWT segments.