AfroTools / Developer Tools / JWT Decoder

Decode JWTs locally and catch the dangerous parts.

Paste a compact JWT to inspect header, payload, timing claims, JOSE risk signals and signature status. Nothing is uploaded, and this page never follows token header URLs.

Local decoding Claim timeline HS signature verify Security checklist

Token Input

Client-side only. Do not paste production secrets into shared machines.

Decoded JSON

Decode is not verification. Use the signature panel before trusting claims.
Header 

          

          

            

              Payload
              
            

            

          

        

      


      

        

          

            
HS Signature Verification

            
Supports HS256, HS384 and HS512 with a pasted shared secret. RS, ES and EdDSA need public key verification in your app.

          

        

        

          

            
            
            
            
          

          

            
            
          

          

        

      


      

        

          

            
Local HS256 Test Token Generator

            
For local development only. It signs in the browser with the secret you enter.

          

        

        

          

            
            
            
            
            
            
          

          

            
          

        

      

    


    
  








  

    Does decoding a JWT prove it is valid?
    
No. Decoding only base64url-decodes JSON. A token is trustworthy only after the signature, issuer, audience, expiration and application-specific rules are validated by the relying application.

  

  

    Why does this tool refuse to fetch jku or x5u URLs?
    
JWT headers can contain arbitrary URLs. Blindly following them can create server-side request forgery and key-confusion problems. This page surfaces those URLs as risk signals instead of fetching them.

  

  

    Can I verify RS256 or ES256 here?
    
This page verifies HMAC-based HS tokens only. Public-key algorithms should be verified with the issuer public key or trusted JWKS in your backend or a dedicated local security workflow.