Decode and verify JWT tokens with the Web Crypto SubtleCrypto API. RS256/ES256/HS256 signature verification, JWK import (RFC 7517), expiry warnings, claim inspection.
Header
Payload
Claims
Signature verification
How to Use JWT Decoder in 3 Steps
Configure. Paste a JWT token (three base64url parts separated by dots). The tool instantly decodes header and payload into formatted JSON with syntax highlighting.
Process. For signature verification, paste the public key (PEM, JWK, or raw) or HMAC secret. The tool uses crypto.subtle.verify() to cryptographically validate the signature.
Export. Review claims: algorithm, issuer (iss), audience (aud), expiry (exp), issued-at (iat), not-before (nbf). Warnings fire for expired, not-yet-valid, or suspicious tokens.
Why JWT Decoder on Pixlane
JWT (JSON Web Tokens, RFC 7519) are used for API authentication, session management, and delegated access in OAuth 2.0 flows. Pixlane decodes and fully verifies JWTs in your browser — including cryptographic signature verification with public keys via SubtleCrypto — so you can debug auth flows without sending tokens to a third-party service.
SubtleCrypto Verify — Uses crypto.subtle.verify() — the browser's FIPS-validated signature verification. Supports RS256 (RSA-SHA256), ES256 (ECDSA P-256), HS256 (HMAC), and more.
Privacy-First Auth Debugging — Your tokens — which may grant access to production systems — never leave your browser. Paste test tokens, debug 401s, and inspect claims safely.
JWK Import (RFC 7517) — Accepts keys as PEM, raw base64, or JSON Web Key (JWK) directly. No conversion needed — paste what your auth server publishes.
Expiry + Replay Checks — Highlights expired tokens (exp passed), not-yet-valid tokens (nbf in future), and tokens without iat. Helps diagnose common auth issues quickly.
Frequently Asked Questions
Which JWT algorithms are supported?
HS256/HS384/HS512 (HMAC), RS256/RS384/RS512 (RSA-PKCS1), PS256/PS384/PS512 (RSA-PSS), ES256/ES384/ES512 (ECDSA), and EdDSA. Covers virtually every production auth system.
Is it safe to paste production JWT tokens here?
The tool runs entirely in your browser — tokens are never sent anywhere. That said, production tokens grant real access, so best practice is to use test/staging tokens or revoke the token after debugging.
What's the difference between decode and verify?
Decode reads the base64url-encoded parts into JSON — it shows you what a token claims, but anyone could have created it. Verify uses the issuer's public key (or HMAC secret) to cryptographically prove the token is authentic and untampered.
Can I generate tokens too?
This tool decodes and verifies existing tokens. Generating JWTs requires a secret key and is usually done server-side. If you need a test token, many libraries (jsonwebtoken, jose) offer a CLI.