Skip to content
JA Technology SolutionsJA Technology Solutions

JA Technology Solutions

JWT Explorer

Decode, inspect, and build JWTs. View claims, check expiration, and create HMAC-signed tokens.

JWT Explorer

Decode JSON Web Tokens to inspect header, payload claims, expiration status, and color-coded token structure. See at a glance whether a token is expired, not yet valid, or currently active — with exact timestamps for iat, exp, and nbf claims — and verify HMAC signatures against a shared secret. Build new JWTs from scratch with standard and custom claims, datetime pickers for time claims, and HMAC signing (HS256/HS384/HS512) via the Web Crypto API. Switch between Decode and Build tabs with one click to edit a decoded token or decode a freshly built one. All cryptography runs in your browser — tokens and secrets never leave your machine.
Learn more ↓

Loading interactive explorer...

What a JWT Actually Is

A JSON Web Token (JWT) is a compact, URL-safe way to transmit claims between two parties. It has three parts separated by dots: a header (which algorithm was used to sign it), a payload (the claims — who the token is for, when it expires, what permissions it grants), and a signature (a hash of the first two parts using a secret or private key). The header and payload are just base64url-encoded JSON — not encrypted — so anyone holding the token can read them. The signature is what makes the token trustworthy: a server can verify that nobody tampered with the claims without contacting an authentication server, which is the whole appeal of JWTs in distributed systems.

Standard Claims You Will See

RFC 7519 defines a handful of standard claim names that every JWT should respect: iss (issuer), sub (subject — usually the user ID), aud (intended audience), exp (expiration timestamp), nbf (not-before timestamp), iat (issued-at timestamp), and jti (unique token ID for revocation lists). This explorer labels each standard claim with a plain-English description and flags expired, not-yet-valid, and soon-to-expire tokens. Custom claims (anything beyond the standard set) are preserved and displayed alongside.

Building Tokens with HMAC Signing

The Build tab lets you construct JWTs from scratch using the HMAC-SHA family (HS256, HS384, HS512). Fill in standard claims with form fields and datetime pickers, add custom claims as key-value pairs, and provide a signing secret — the token assembles and signs in real time using the browser’s Web Crypto API. The generated token can be sent straight to the Decode tab with one click, or copied for use in API testing, Postman, or cURL commands.

JWT Done Wrong Is Worse Than No JWT

The most famous JWT vulnerabilities all come from implementation bugs, not the spec itself: accepting the none algorithm (which means “skip signature verification”), confusing HS256 with RS256 (using the public key as an HMAC secret), forgetting to check exp, or accepting tokens issued by anyone. I build authentication and authorization systems that use JWTs correctly — or pick a better-fit alternative (session cookies, OAuth access tokens) when JWTs are the wrong answer for the threat model. Learn about custom application development, explore integration services, or get in touch to discuss auth and API security.

All tools run entirely in your browser. Your data never leaves your machine. Need help? Ask James.

Contact

Need this automated?

I build custom integrations that convert, validate, and deliver data between systems automatically — on a schedule, in real time, without anyone touching a file.

Get in TouchSchedule a Call