Decodificador y Verificador JWT
Decodifica tokens JWT y verifica firmas en tu navegador. Inspecciona header, payload y claims. Verifica HMAC, RSA y ECDSA. 100% privado.
100% client-side · no upload · SubtleCrypto verified
Header
Payload
Signature
Paste secret or key below to verify
Standard claims
Verify signature (optional)
How to use
- Paste any JWT token into the input field — the header, payload, and standard claims decode instantly.
- Review the color-coded sections: the header shows the algorithm and token type; the payload shows all claims including issuer, subject, and expiry.
- To verify the signature, paste your HMAC shared secret or PEM-encoded RSA/ECDSA public key into the verification field and click Verify Signature.
Related use cases
Related developer tools
Preguntas frecuentes
- Does my JWT leave my browser?
- No. The entire decoding and verification process runs in your browser using the built-in Web Crypto API (SubtleCrypto). Your token, secret, or key is never sent to any server.
- Can this tool verify JWT signatures?
- Yes. For HMAC tokens (HS256, HS384, HS512) enter your shared secret. For RSA (RS256, RS384, RS512) and ECDSA (ES256, ES384, ES512) tokens paste the PEM-encoded public key. The browser's SubtleCrypto API performs the cryptographic check entirely client-side.
- What does the exp claim mean and does the tool check it?
- exp is the "expiration time" — a Unix timestamp (seconds since epoch) after which the token must not be accepted. This tool highlights expired tokens in red and shows a human-readable relative time so you can spot stale tokens at a glance.
- What algorithms are supported?
- Decoding works for any JWT. Signature verification supports HS256, HS384, HS512 (HMAC), RS256, RS384, RS512 (RSA PKCS#1 v1.5), and ES256, ES384, ES512 (ECDSA). The algorithm is read automatically from the JWT header.
- Why should I use this instead of jwt.io?
- jwt.io sends your token to their servers for decoding. This tool is 100% client-side — nothing ever leaves your device. It is safe to use with production tokens, API keys embedded in JWTs, or tokens containing PII.
Last updated: By jarvisbox