SUPER EASY UTILS

JWT डिकोडर

JSON Web Tokens डिकोड और सत्यापित करें।

All decoding runs locally — your token never leaves the browser.

Encoded JWT

Header

// Header

Payload

// Payload

Signature

// Signature
Up next
Read the full guide
Or try these instead
JSON → TypeScriptMarkdown स्टूडियोCSV ↔ JSON कन्वर्टर

Decoding and Verifying JSON Web Tokens

अवलोकन

JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps. A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature. The header declares the algorithm; the payload carries claims about the user (sub, exp, iss, custom fields); the signature proves the token wasn't tampered with. This decoder lets you inspect any JWT instantly, verify the signature (if you have the secret or public key), and detect expired or not-yet-valid tokens — all in your browser, never sending the token anywhere.

कैसे उपयोग करें (चरण-दर-चरण)

  1. 1

    Paste your JWT

    The three-part token (header.payload.signature) separated by dots. Trailing newlines and spaces are handled automatically.

  2. 2

    Read the decoded header and payload

    Algorithm, expiration time (exp), issued-at (iat), subject (sub) — all clearly labeled. Expiry status is shown in human time.

  3. 3

    Verify the signature if you have the secret

    Paste the HMAC secret or public key for asymmetric algorithms. The tool tells you instantly whether the signature is valid.

यह कैसे काम करता है

The tool splits the token on dots, Base64URL-decodes the header and payload to JSON, and displays them with syntax highlighting. The third segment (signature) is shown raw. For HS256/384/512 algorithms, paste the shared secret and the tool computes HMAC and compares to the token's signature — a match means the token is authentic. For RS256/RS384/RS512 and ES256/ES384/ES512, paste the public key (PEM format) and the tool verifies using Web Crypto API. Standard claims (exp, iat, nbf) are interpreted into human-readable countdowns.

कब उपयोगी है

Debugging authentication issues ('why is my API rejecting this token?'). Inspecting Auth0/Firebase/Supabase tokens to see what claims they carry. Verifying that token expiration works correctly in your app. Understanding what a third-party JWT contains before trusting it. Reverse-engineering an unfamiliar API's auth scheme. Educational: showing students what a JWT actually looks like inside.

अक्सर पूछे जाने वाले प्रश्न

No. Anyone can decode a JWT (the data is just Base64-encoded, not encrypted) and see all claims. Verifying means cryptographically checking the signature with the secret/public key to confirm the token is authentic and unmodified. Always verify before trusting.

महत्वपूर्ण सूचनाएँ

JWTs are signed but not encrypted by default — anyone with the token can read all claims. Don't store sensitive data (PII, payment info) in JWT payload unless using JWE (encrypted variant).

अनुशंसित टूल्स

चुने हुए उपयोगी टूल्स

Decoding and Verifying JSON Web Tokens

अवलोकन

JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps. A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature. The header declares the algorithm; the payload carries claims about the user (sub, exp, iss, custom fields); the signature proves the token wasn't tampered with. This decoder lets you inspect any JWT instantly, verify the signature (if you have the secret or public key), and detect expired or not-yet-valid tokens — all in your browser, never sending the token anywhere.

कैसे उपयोग करें (चरण-दर-चरण)

  1. 1

    Paste your JWT

    The three-part token (header.payload.signature) separated by dots. Trailing newlines and spaces are handled automatically.

  2. 2

    Read the decoded header and payload

    Algorithm, expiration time (exp), issued-at (iat), subject (sub) — all clearly labeled. Expiry status is shown in human time.

  3. 3

    Verify the signature if you have the secret

    Paste the HMAC secret or public key for asymmetric algorithms. The tool tells you instantly whether the signature is valid.

यह कैसे काम करता है

The tool splits the token on dots, Base64URL-decodes the header and payload to JSON, and displays them with syntax highlighting. The third segment (signature) is shown raw. For HS256/384/512 algorithms, paste the shared secret and the tool computes HMAC and compares to the token's signature — a match means the token is authentic. For RS256/RS384/RS512 and ES256/ES384/ES512, paste the public key (PEM format) and the tool verifies using Web Crypto API. Standard claims (exp, iat, nbf) are interpreted into human-readable countdowns.

कब उपयोगी है

Debugging authentication issues ('why is my API rejecting this token?'). Inspecting Auth0/Firebase/Supabase tokens to see what claims they carry. Verifying that token expiration works correctly in your app. Understanding what a third-party JWT contains before trusting it. Reverse-engineering an unfamiliar API's auth scheme. Educational: showing students what a JWT actually looks like inside.

अक्सर पूछे जाने वाले प्रश्न

No. Anyone can decode a JWT (the data is just Base64-encoded, not encrypted) and see all claims. Verifying means cryptographically checking the signature with the secret/public key to confirm the token is authentic and unmodified. Always verify before trusting.

महत्वपूर्ण सूचनाएँ

JWTs are signed but not encrypted by default — anyone with the token can read all claims. Don't store sensitive data (PII, payment info) in JWT payload unless using JWE (encrypted variant).

JWT डिकोडर | Super Easy Utils