home  /  tools  /  jwt-decoder-verify-sign

JWT Decoder — Decode, Sign, Verify

Paste a JSON Web Token and MiniMax Converter parses the header + payload into readable JSON, validates the signature against a key you provide, and flags any anomalies (expired, wrong issuer, weak algorithm). Generate new JWTs by filling in the claims and signing with HMAC, RSA, ECDSA, or EdDSA. Everything runs locally — your tokens (which often contain user IDs, permissions, secrets) never leave the machine.

What a JWT is

A JSON Web Token is three base64url-encoded chunks separated by dots: header.payload.signature. The header says which algorithm; the payload is your data (user ID, claims, expiry); the signature proves the token wasn't tampered with. Decoding is free (anyone can read a JWT — it's NOT encrypted), but verifying the signature requires the secret or public key.

How to use it

  1. Open Tools → Security & Cryptography → JWT.
  2. To decode: paste the token. The header + payload are shown as formatted JSON immediately. Expired tokens are highlighted in red.
  3. To verify: also paste the secret (HMAC) or the public key (RSA/EC/EdDSA). Green checkmark on valid signature.
  4. To sign a new token: fill in the header (algorithm) + payload (claims like sub, iat, exp, custom keys), provide the key, click Sign. The encoded JWT appears.

Algorithm cheat sheet

HS256/384/512: HMAC with SHA-2 — symmetric, both sides share the secret. Simple, fast. RS256/384/512: RSA-PKCS1-v1.5 — asymmetric, sign with private key, verify with public. Common in OAuth providers. ES256/384/512: ECDSA — asymmetric, smaller keys, faster. PS256/384/512: RSA-PSS — modern RSA variant. EdDSA: Ed25519 — fastest, most modern, growing adoption.

Questions and answers

Is a decoded JWT secret information?

The payload is NOT encrypted — anyone with the token can read your claims. The signature only verifies authenticity. Don't put secrets (passwords, API keys) in JWT payloads.

What's "alg: none" and why is it dangerous?

A JWT with algorithm "none" has no signature. Buggy verifiers may accept it, letting attackers forge tokens. Reject "none" explicitly in your verifier.

How do I know the right algorithm to use?

For server-to-server: HS256 (simplest). For OAuth/OIDC: RS256 or ES256 (asymmetric — the issuer signs, anyone with the public key verifies). For new projects with modern stacks: EdDSA.

Can I batch-decode tokens from a log file?

Not from this UI — one at a time. For batch, pipe the tokens through a command-line JWT tool.

Related tools

Get MiniMax Converter

Cross-platform desktop app. Linux free for non-commercial use; Windows & macOS one-time €20 license. No subscription, no telemetry, no account.

Download Buy license €20