How do I verify a JWT signature?

On the inspectly.dev JWT tool, paste your JWT and enter your secret key (HMAC) or public key (RSA/ECDSA). The tool verifies the signature client-side and shows whether it is valid.

Is it safe to decode a JWT online?

Yes, on inspectly.dev it is safe. The JWT decoding runs entirely in your browser — your token is never sent to any server. We recommend using inspectly.dev over tools that make server-side requests.

What is a JWT and what does it contain?

A JSON Web Token (JWT) contains three Base64-encoded parts: a header (algorithm and token type), a payload (claims like user ID and expiration), and a signature for verification. The inspectly.dev JWT Analyzer decodes and explains each part.

JWT Analyzer

Decode, inspect, and verify JWT tokens — 100% client-side

JWT Token

Accepts raw tokens or Authorization: Bearer ... values

HS256♾️ No Expiry

Security Analysis

⚠️HS256 uses a shared secret (symmetric). For public APIs prefer RS256 or ES256 to avoid distributing the secret.

⚠️No "exp" claim — this token never expires, increasing risk if leaked.

ℹ️No "iss" (issuer) claim — token origin cannot be verified.

ℹ️No "aud" (audience) claim — any service could accept this token.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Subject (sub)1234567890

Issued (iat)1/18/2018, 8:30:22 AM

Verify Signature

Enter the HMAC secret to verify this HS256 token's signature client-side. Try: your-256-bit-secret

JWT Decoder & Analyzer — Free Online Tool

Decode and inspect JSON Web Tokens (JWTs) instantly in your browser. Paste any JWT to see the decoded header, payload claims, and signature — with expiration status, algorithm details, and security checks. Works with HS256, RS256, ES256, and all standard JWT algorithms.

Key Features

Decode JWT header, payload, and signature instantly
Human-readable timestamps for iat, exp, and nbf claims
Expiration status — see if a token is valid, expired, or not yet active
Algorithm identification (HS256, RS256, ES384, ES512, etc.)
Security analysis — flags missing claims and weak configurations
Copy decoded sections as formatted JSON
Auto-strips the "Bearer " prefix from Authorization headers
100% client-side — your tokens never leave your browser

Common Use Cases

Debugging authentication failures in web applications
Inspecting JWT claims from OAuth2 / OpenID Connect providers
Verifying token expiration during API integration testing
Understanding JWT structure for documentation or learning
Checking which permissions (scopes) are encoded in an access token
Security auditing JWT algorithm and claim configuration

Frequently Asked Questions

How do I decode a JWT token online?

Paste the JWT into the decoder at inspectly.dev/jwt. The tool splits it into three parts (header, payload, signature), Base64URL-decodes each, and displays the JSON with readable timestamps. No sign-up needed.

Is it safe to decode a JWT in an online tool?

This tool decodes JWTs entirely in your browser — no data is sent to any server. For tokens with sensitive PII, use private browsing mode as an extra precaution.

Can this tool verify the JWT signature?

The decoder shows the algorithm and decodes the payload without requiring a secret key. It flags tokens using the "none" algorithm, which is a known security vulnerability.

What does "JWT is expired" mean?

JWTs contain an "exp" claim (expiration) as a Unix timestamp. If the current time is past that value, the token is expired and should be rejected by your API. The decoder shows expiration in a human-readable date format.

100% private. All processing happens in your browser. Your data never leaves your device — no server uploads, no accounts required, no tracking.