credential.help_

Free JWT decoder & generator (browser-only).

Paste an existing JSON Web Token to decode it, or build a new JWT by editing the header and payload and signing with your own secret key. Everything happens locally in your browser.

Inspect, debug, and create JWTs safely

JWTs are used everywhere for authentication and API access. This tool helps you understand what's inside a token, how its claims are structured, and how signatures are created with HS256 or HS512.

  • Decode JWTs to view header and payload as formatted JSON.
  • See claim details like exp, iat, and sub.
  • Generate new tokens with HS256/HS512 using your own secret.
  • All decoding and signing is done locally, not on a server.

Important: This is a debugging and learning tool. Don't paste production secrets here, and don't rely on it as a replacement for a real authentication service.

JWT Decoder & Generator

Paste a JWT to see its header and payload. Signature is not verified.

Signature is not verified. Decode only.

NordPass Promotion

Sponsored link

How it works

Decode and generate JWTs in two modes.

Switch between decode and generate modes. In decode mode, you paste a token and see its parts. In generate mode, you edit JSON claims and we build a signed JWT using your secret key.

1. Decode existing tokens

Paste any JWT and we'll split it into header, payload, and signature, decode the base64url sections, and format the JSON so you can read it easily.

2. Edit payload claims

In generate mode, you can edit claims like sub, aud, and exp, or let the tool add iat and exp for you.

3. Sign with HS256 or HS512

Provide a secret key, choose HS256 or HS512, and the tool will sign the header+payload using HMAC via secure browser cryptography APIs.

JWT best practices

Use JWTs safely in production systems.

JWTs are powerful but easy to misuse. These guidelines help you avoid common pitfalls in real-world apps.

Never trust unsigned tokens

Tokens with alg: "none" or missing signatures are not secure for authentication. Always verify the signature on the server.

Validate exp and iat

Check that tokens aren't expired and that their issued time makes sense. Refuse tokens outside acceptable time windows.

Keep secrets out of the frontend

In real applications, JWT signing secrets and private keys belong on the server or in a secrets manager—not in browser code.

Prefer short-lived tokens

Use short expirations and refresh tokens to reduce the damage if a JWT ever leaks, especially for high-privilege sessions.

FAQ

JWT decoder & generator questions, answered.

Learn what this tool does (and doesn't) do when working with JSON Web Tokens.

Does this tool verify signatures?

No. Decode mode only parses and displays the header and payload. It does not verify the signature. Always verify signatures in your server-side code using trusted libraries.

Are tokens sent anywhere when I paste them?

No. Decoding and generation both happen entirely in your browser. We don't send tokens, secrets, or payloads to any server.

Which algorithms does the generator support?

This tool focuses on HS256 and HS512 using a shared secret. Other algorithms like RS256 (public/private keys) should be handled with proper backend libraries and key management.

Should I use this for production tokens?

It's fine for debugging, demos, and local development. For production, your authentication service should generate and verify JWTs automatically.

JWT Decoder & Generator

Learn how your tokens really work

Inspect claims, tweak payloads, and see exactly what changes in the encoded token when you edit the JSON.

Need secure secrets instead of tokens? Try our API key generator or password generator.