Third-party token review
Inspect claims before wiring a provider into your workflow.
Documentation
Decode JWT headers and claims, verify HMAC signatures, and inspect expiration windows.
Overview
Use the decoder when a compact token needs to be inspected, verified, or shared as readable JSON.
Inspect claims before wiring a provider into your workflow.
Check whether the token still verifies with the shared secret.
Copy decoded header and payload data into tickets without retyping it.
Supported inputs
Walk through it
Workflow
Use this path when you need to inspect the header and payload.
Workflow
Use this path when you have the shared secret and want to confirm authenticity.
What you get
The header shows the token algorithm and related metadata.
The payload shows claims in readable JSON so you can review them quickly.
The signature result tells you whether the shared secret matched.
Avoid these mistakes
Paste the compact token itself instead of the full authorization header.
A valid decode can still fail verification if the secret does not match.
Check verification before you rely on any claim values.
Glossary
This section translates the most technical labels on the page into plain language so you can interpret the output without opening another tab.
JWT stands for JSON Web Token. It is a compact string format that carries header, payload, and signature data.
A claim is one field inside the token payload, such as a subject, audience, role, or expiration time.
HMAC is a shared-secret signing method. Verification only succeeds when both sides use the same secret and algorithm.
`exp` is the expiration claim. It tells clients and servers when the token should stop being accepted.
`nbf` stands for not before. It means the token should not be treated as valid before that time.
`iat` stands for issued at. It records when the token was created.