JWT Decoder and Verifier — Inspect JSON Web Tokens
// json web token inspector
Paste any JWT to instantly decode its header, payload and claims. Signature verification for HMAC algorithms runs entirely in the browser — your token and secret never leave this page.
token input
header
payload
signature
header
awaiting token…
payload
awaiting token…
signature
awaiting token…
signature verification
paste a token first
algorithm reference
| HS256symmetric | HMAC-SHA256. Shared secret — both parties hold the same key. Common in single-service auth. |
| HS384 | HMAC-SHA384. Larger digest; rarely needed over HS256 unless mandated by compliance. |
| HS512 | HMAC-SHA512. Strongest HMAC variant. Useful on 64-bit systems where SHA-512 is native speed. |
| RS256asymmetric | RSA-PKCS1v1.5 + SHA-256. Private key signs; public key verifies. Standard for third-party identity providers (OIDC). |
| RS384 / RS512 | RS256 variants with larger SHA digests. Functionally equivalent; used when standards mandate them. |
| ES256asymmetric | ECDSA P-256 + SHA-256. Shorter signatures than RSA, strong security. Preferred in modern APIs and mobile. |
| none | Unsigned token. Reject these server-side — accepting "alg: none" is a well-known critical vulnerability. |