# Encoders

JWT Decoder

Decode JWT header and payload locally so you can inspect claims and expiry quickly.

HMAC verification Claims inspector Security warnings

How the JWT Decoder Works

The ByteKiln JWT Decoder splits your token into its three Base64URL-encoded segments and decodes each locally in your browser. For HMAC tokens, it also verifies the signature using the Web Crypto API — no network request is made.

Decoding header and payload

A JWT token is three Base64URL segments separated by dots. The decoder splits, decodes, and pretty-prints each segment as JSON. Your token never leaves the browser — all decoding uses client-side JavaScript.

Signature verification

For HS256, HS384, and HS512 tokens, enter your HMAC secret in the Signature panel. The tool re-computes the expected signature using SubtleCrypto.sign() and compares it byte-for-byte against the token's embedded signature.

Claims and security warnings

The claims inspector shows human-readable dates for exp, iat, and nbf. Security warnings appear when the algorithm is "none", when exp is missing from the payload, or when the token has already expired.

Read the full guide

FAQ

Short answers for the things developers usually ask before trusting a tool.

Can the ByteKiln JWT Decoder verify JWT signatures?

Yes — for HS256, HS384, and HS512 tokens. Enter your HMAC secret in the Signature panel and the tool verifies the signature locally using the browser's SubtleCrypto API. RS256 and asymmetric algorithms are not yet supported.

Does it tell me if the JWT token is expired?

Yes. If the payload includes an exp claim, the tool compares it against the current time and shows a clear Valid or Expired status badge. The exact expiry date and time are also displayed.

What security warnings does the JWT Decoder show?

The tool warns when the algorithm is set to "none" (no cryptographic signature), when the exp claim is missing entirely, or when the token has already expired. These are common JWT security issues to watch for.

Is my JWT token sent to a server?

No. The ByteKiln JWT Decoder runs entirely in your browser. Your token is decoded locally using JavaScript and never transmitted, logged, or stored anywhere.

What is the difference between the JWT header and payload?

The header identifies the token type and signing algorithm (e.g. HS256). The payload contains the claims — statements about the subject like user ID, roles, and expiry time. Both sections are Base64URL-encoded JSON objects.

Related tools

Useful follow-ups when one conversion usually turns into three more.

encoders

Base64

Convert text to Base64 and back with Unicode-safe browser-side processing.

encoders

Hash Generator

Generate MD5, SHA-1, SHA-256, SHA-384, and SHA-512 hashes from text.

encoders

URL Encoder

Encode special characters for URLs or decode percent-encoded strings safely.