OnSubmit Free and fast tools
EN
English English EN Français Français FR Español Spanish ES Deutsch German DE Italiano Italian IT
Search
Development · free tool

JWT decoder and encoder for headers, payloads and token claims

Decode, inspect and regenerate test JSON Web Tokens with HS256. Your data stays in your browser whenever the task can be processed locally.

Use the tool Read the FAQ

Your tool

JWT Decoder / Encoder

Good to know

A JWT decoder reads the Base64URL-encoded header and payload of a JSON Web Token. A JWT encoder can regenerate a test token from edited header and payload data.

jwt decoderjwt encoderjson web tokendecode jwtencode jwt

Understand

Understand JWT Decoder / Encoder

What is JWT Decoder / Encoder?

A JWT decoder reads the Base64URL-encoded header and payload of a JSON Web Token. A JWT encoder can regenerate a test token from edited header and payload data.

Main use case: Decode a JWT, inspect claims such as exp or aud, edit test payloads and regenerate HS256 tokens for API debugging.

Common use cases

API debugging
Read token claims while investigating authentication issues.
Expiration checks
Inspect exp, iat and nbf timestamps before testing access flows.
Test token generation
Regenerate an HS256 token after editing test header or payload data.
Auth documentation
Prepare readable token examples for integration notes.

How to use the tool

  1. Paste the JWT token.
  2. Inspect the decoded header and payload.
  3. Edit test claims if needed.
  4. Optionally enter a HS256 secret.
  5. Regenerate the encoded test token.

Best practices

  • Use realistic test values when validating forms, exports or API payloads.
  • Keep real customer, banking and production secrets out of public tools.
  • Check the output format before copying it into a production workflow.
  • Document whether a value is generated, validated, converted or only estimated.

Common mistakes

Confusing valid format with real-world validity
A generated or locally validated value can match a format without proving that it exists in an official system.
Using real production data
Public utilities are best for test data, demos, fixtures, QA and quick checks, not for confidential values.

Related terms and searches

JWTJSON Web TokenJWT encoderJWT decoderclaimsheaderpayloadBase64URLHS256jwt encoderjwt decoder onlineencode jwt onlinedecode json web tokeninspect jwt claimssign jwt hs256

FAQ

Frequently asked questions

Does decoding a JWT verify its signature?

No. Decoding only reads the token content. Signature verification requires the correct key or secret.

Can this tool encode a JWT?

Yes. It can regenerate an HS256 test token from the header, payload and secret you provide.

Is JWT content encrypted?

Most JWTs are signed but not encrypted. Anyone with the token can decode and read the payload.

What are common JWT claims?

Common claims include exp, iat, nbf, iss, aud, sub and custom application fields.

Are my inputs sent to a server?

OnSubmit tools run in the browser whenever the task can be processed locally. Avoid pasting production secrets, real banking details or personal data into public tools.