JWT Inspector — xtract.bot

Apps / JWT Inspector

Encoded JWT

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Algorithm: HS256Type: JWT

Verify signature

Secret (raw bytes; UTF-8 of this string)

Awaiting key — enter a secret or PEM key to verify

Verification uses the browser's SubtleCrypto API. Nothing leaves the page.

Header

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Standard claims

Subject (sub)	"1234567890"
Issued at (iat)	1516239022 — 2018-01-18T01:30:22.000Z (8.4y ago)

Signature

SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

HS256(
  base64url(header) + "." + base64url(payload),
  <key>
)

Signature length: 32 bytes

About this JWT inspector

What is this?

A free, online JWT decoder + verifier that runs entirely in your browser. Decode a JSON Web Token's header, payload, and signature. Verify HS, RS, PS, ES, or EdDSA signatures using the browser's Web Crypto API. Nothing leaves the page.

What it decodes

Header — JSON object with alg, typ, kid
Payload — claims (iss / sub / aud / exp / iat / nbf / jti + custom)
Standard claims — auto-extracted with human-readable timestamps + status (expired / not-yet-valid / future)
Signature — raw bytes, length, the formula

Supported algorithms

HS256 / HS384 / HS512 (HMAC), RS256 / RS384 / RS512 (RSA-PKCS1), PS256 / PS384 / PS512 (RSA-PSS), ES256 / 384 / 512 (ECDSA), EdDSA (Ed25519), and none (unsigned — flagged as a warning).

Partial decode

When a JWT is malformed — bad base64url, broken JSON, truncated signature — the inspector shows whatever it could parse plus an inline warning. You'll never lose the rest of the token to one bad segment.

FAQ

Is my token uploaded?

No. All decoding and signature verification happens in your browser via the Web Crypto API.

What key format do I need?

HMAC: the secret string. Asymmetric algorithms: a PEM SPKI public key (the -----BEGIN PUBLIC KEY----- form).

Can it sign / create JWTs?

Not in this version — inspect / verify only. Let us know if signing matters to you.

Related tools

JSON Editor — tweak the decoded payload
Diff Viewer — compare two tokens' payloads