DevStudio's JWT Decoder and Encoder lets you inspect, verify, and craft JSON Web Tokens entirely inside your browser. Paste a token and the tool decodes the three Base64URL-encoded segments — header, payload, and signature — into readable JSON, surfaces standard claims such as iss, sub, aud, exp, iat, and nbf, and highlights expired or not-yet-valid tokens at a glance. For HS256, HS384, and HS512 you can paste a shared secret to verify the signature; for RS256, RS384, ES256, and ES384 you can paste a PEM-encoded public key to confirm an asymmetric signature. The encoder side lets you build a fresh token by editing the header and payload as JSON and signing with a secret or private key, which is useful when you need a deterministic test token for an integration suite or when you want to reproduce a production token under controlled conditions. Because the tool runs entirely on your device using the WebCrypto API, secrets, signing keys, and token contents never leave your browser tab — there is no server round trip, no telemetry on the payload, and no third-party logging. Common use cases include debugging an authorization failure by checking aud and exp, confirming that a service is signing tokens with the algorithm you expect, copying a payload into a unit test, switching between HS and RS algorithms during a key rotation, and decoding a token from a Bearer header captured in a HAR file. The decoder is fully offline once the page has loaded, which makes it safe to use on internal networks where outbound HTTPS is restricted.
HS256 uses a single shared secret to both sign and verify a JWT, which means anyone who can verify can also sign — fine for a single trusted backend, risky once multiple services need to validate. RS256 uses an asymmetric key pair: the issuer signs with a private key and any number of consumers verify with the public key. Use HS256 when one process owns the secret; use RS256 when keys must be distributed.
Decoding only requires Base64URL-decoding the header and payload segments, which DevStudio's JWT tool does in the browser the moment you paste a token. You will see the claims, the algorithm in the header, and the issued and expiration timestamps without supplying a secret. To verify the signature you do need the corresponding HMAC secret or public key, but reading the contents of a token is always possible without one.
Paste the token, choose the algorithm shown in the header (for example HS256, RS256, or ES256), and supply the matching secret or PEM-encoded public key. DevStudio uses the WebCrypto API to recompute the signature and compares it with the third segment of the token. The result is shown as Valid or Invalid alongside any expiration warnings. The secret or key you paste never leaves your browser.
The exp claim inside the payload is a Unix timestamp in seconds. If the current time is past that value, every standards-compliant verifier will reject the token. DevStudio compares exp against your local clock, so a wrong system time can produce a false expired warning. Other claims that can cause a token to be rejected include nbf, which marks the earliest time the token is valid, and iat when paired with strict freshness checks.
No. DevStudio's JWT tool runs every encode and verify operation locally using the browser's WebCrypto API. The secret, the private key, and the token text remain inside your browser tab. There is no API call carrying the payload, no analytics that capture the secret, and no third-party script that reads the input. You can use the tool offline once the page has loaded and on internal networks with no outbound access.