Why is the signature unreadable?

It is binary. Verification requires the issuer’s public key or shared secret and a crypto library.

Is this HS256 or RS256?

The header’s alg field tells you. Match verification code to that algorithm.

JWT Decoder

In the same workflow: Webhook Tester and API Response Analyzer.

JWT Decoder

Decode, verify (HS256), or generate JWTs. All processing in the browser. Never paste production tokens or secrets. For RS256/ES256 and more: jwt.io.

JWT (paste raw token or "Bearer <token>")

Common claims

iat (issued at): 2018-01-18T01:30:22.000Z (1516239022)

sub: 1234567890

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Why use JWT Decoder?

JWTs encode header and payload as Base64URL JSON. Decode them instantly to inspect iss, aud, exp, and custom claims. This helps debug authentication flows without pushing tokens through third-party paste sites.

Practical tips

Decode does not prove authenticity—anyone can forge unsigned JSON.
Compare exp with Auth Token Expiry Checker when skew matters.
Redact tokens before sharing screenshots; they are often still valid for minutes.

Common questions

Why is the signature unreadable?: It is binary. Verification requires the issuer’s public key or shared secret and a crypto library.
Is this HS256 or RS256?: The header’s alg field tells you. Match verification code to that algorithm.

About

JWT decoder: paste token, inspect header and payload claims. Free JWT viewer for debugging auth. Base64 decode.

Related tools

Used together

Next step

After jwt-decoder, continue with Webhook Tester to validate the next API or webhook layer.