Frequently asked questions

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token with three Base64URL-encoded parts — header, payload, and signature — used to carry authentication and authorization claims between services.

Is it safe to paste my token here?

Yes. Decoding and signature verification run entirely in your browser using the Web Crypto API — your token and secret are never sent to a server. Note that a JWT is only encoded, not encrypted, so anyone with the token can read its contents; treat it like a password.

Can it verify the signature?

Yes, for HMAC algorithms (HS256, HS384, HS512): enter the shared secret and it checks the signature locally. RSA/ECDSA (RS/ES/PS) signatures are verified with a public key on your server and are decoded here but not signature-checked.

How do I know if a token is expired?

The tool reads the standard time claims — issued-at (iat), not-before (nbf), and expiry (exp) — shows them as readable dates, and flags whether the token is currently within its validity period, expired, or not yet valid.