ASCII Tools

JWT Decoder/Encoder

Decode and encode JSON Web Tokens (JWT) with ease.

Decode a JWT

Paste an existing JWT below to see its Header and Payload decoded.

Encode a JWT

Enter Header JSON, Payload JSON, choose an algorithm and secret, then click “Generate”.

Decode a JWT

  1. Paste any JWT (e.g. eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9...V1TL30Ywr4hZTwgSCZgiTx7S-aPeu8fO1s5hp66WZ3o) into the “Target plain text” field.
  2. The tool automatically decodes and displays the Header and Payload JSON.
  3. View the validation status under the decoded token (e.g. Signature is valid or Signature invalid).

Use Cases:

  • Debugging broken signatures when implementing JWT authentication
  • Verifying issued tokens in QA or staging environments
  • Inspecting claims (sub, exp, iat, roles, etc.) before integrating with your backend

Encode a JWT

  1. Enter a valid header in JSON format (e.g. { "alg": "HS256", "typ": "JWT" }).
  2. Enter a payload JSON (e.g. { "sub": "42", "name": "Captain Jack Sparrow", "iat": 1516239022 }).
  3. Select an algorithm from the dropdown (e.g. HS256 (HMAC + SHA-256), RS256 (RSA + SHA-256)).
  4. Provide your secret or private key string in the “Secret / Key” field.
  5. Click Generate to produce the new JWT, displayed in the “Result” box.
  6. Copy the token using Copy or download it as a .txt file.

Use Cases:

  • Creating test tokens for local API development or mocking authentication
  • Generating tokens with custom claims (roles, permissions, expiration) for automated testing
  • Experimenting with different signing algorithms and key lengths before production rollout

Quickly inspect existing JWTs or generate new ones by providing header, payload, algorithm, and secret. Perfect for developers debugging authentication flows and creating test tokens.

Common Scenarios

  • API Integration: Verify incoming tokens from Auth0, Firebase, or custom identity providers
  • CI/CD Pipelines: Automatically generate short-lived tokens for integration tests
  • Security Audits: Inspect token payloads to ensure no sensitive data leaks

Pro Tips

  • 🔑 Use .env or secrets management to store your private keys—never hardcode them in public code.
  • 📅 Check the exp (expiration) and nbf (not before) fields in the payload to avoid expired or premature tokens.
  • 🔒 For stronger security, prefer RS256 or ES256 over HS256 when possible.
  • 🔄 Combine with Text Transform to ensure your JSON is properly capitalized and formatted before encoding.