JWT Builder & Decoder

Build, sign, and decode JSON Web Tokens.

All processing happens in your browser. Your secret keys and token data are never sent to any server.

Header

alg

typ

Payload - Standard Claims

iss

sub

aud

exp

Set exp:

nbf

iat

jti

Custom Claims

Secret Key

Encoded JWT

Paste a JWT to decode

Frequently Asked Questions

What are the standard JWT claims? +

The registered claims are: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). All are optional but exp and iat are the most commonly used.

What does HS256 mean in a JWT? +

HS256 stands for HMAC using SHA-256. It is a symmetric signing algorithm, meaning the same secret key is used to both sign and verify the token. HS384 and HS512 use SHA-384 and SHA-512 respectively for longer signatures.

How do I check if a JWT has expired? +

Decode the payload and look at the exp claim. It is a Unix timestamp (seconds since January 1, 1970). Compare it to the current time. If the current time is past exp, the token is expired.

What is the difference between HS256 and RS256? +

HS256 is symmetric. One shared secret signs and verifies. RS256 is asymmetric. A private key signs and a public key verifies. RS256 is better for distributed systems where the verifier should not have the signing key.