ClipGate Tools · JWT Decoder

Decode & verify JWTs. No ads. No upload.

Paste any JSON Web Token below to inspect its header, payload, and signature. Verify HS256/384/512 and RS256/384/512 signatures directly in the browser. Everything runs client-side — your tokens never touch a server.

100% client-side No signup No ads HS256/384/512 · RS256/384/512
Your token is decoded locally. Open DevTools → Network while you paste — zero outbound requests.
Why this sidebar?

Tokens are secrets

JWTs carry identity. ClipGate's content classifier — the same one that runs in the CLI — detects them automatically and requires explicit unlock before paste. The box above shows it live.

Token

Status: waiting for token

Signature verification alg:

Enter a secret or public key to verify.

Decoded

Header
// paste a JWT to see decoded header
Payload
// paste a JWT to see decoded payload
Signature (raw Base64URL)
// paste a JWT to see signature

About JSON Web Tokens

A JWT is three Base64URL-encoded segments — header, payload, signature — joined with dots. The header declares the signing algorithm, the payload carries claims (who, what, until when), and the signature lets a verifier confirm the token wasn't tampered with. Decoding a JWT is trivial; verifying it requires the shared secret or issuer's public key.

Are my tokens sent to a server?

No. This tool is a single static HTML page served from GitHub Pages. Decoding uses atob and JSON.parse. Signature verification uses the browser's built-in Web Crypto API (SubtleCrypto). Your token never touches our infrastructure — there is no backend here to touch it.

Which signing algorithms do you support?

Decoding works for any JWT regardless of alg. Signature verification supports HS256, HS384, HS512 (symmetric shared-secret) and RS256, RS384, RS512 (asymmetric — paste the issuer's PEM-encoded public key). ES256, ES384, and EdDSA are on the roadmap.

Can a decoded JWT be trusted on its own?

No. Anyone can produce a JWT and set the payload to anything. Trust requires two checks: (1) the signature verifies against the issuer's secret or public key, and (2) the exp, nbf, and iat claims are in a valid range. This tool flags both for you automatically.

Why does the claim bar sometimes turn yellow?

Yellow means a time-based claim is unusual but not fatal — e.g. nbf is in the future (token not yet valid), or iat is in the future (issued-at skew). Red means expired. Green means valid.

Who built this?

The ClipGate team. We build a local-first clipboard vault CLI for developers that auto-classifies copied content and blocks paste of secrets. These free tools extend that philosophy to common developer workflows — ad-free, client-side, dark by default.