Skip to content
Marvin's Toolbox.

Search tools

Type to filter all tools

JWT Decoder

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Everything runs locally in your browser. Your data never leaves your device.

HeaderPayloadSignature

Line breaks, surrounding whitespace and a Bearer prefix are all fine.

Nothing decoded yet
Paste a JSON Web Token above, or use the sample, to see its header, payload and claims.

Next steps

Send this tool's output straight into another tool.

Paste JSON to explore it as a collapsible, searchable tree, hide the fields you don't need, and see the structure it implies as a badge-annotated schema and a copyable TypeScript interface.

Convert config and data between JSON, YAML, TOML, JSON5, INI, XML, CSV and .env. Type or paste on the left, pick the output format on the right, and copy the result. Includes a format button and a minify toggle.

Compare two JSON documents by structure and see every added, removed and changed key and value with its exact path. Browse the result as a tree, a filterable change list or a line diff, ignore array order, catch type changes and export the changes as a JSON report.

Convert text into every case at once: title case in the APA, AP, Chicago, MLA, Bluebook, AMA and NYT styles, sentence case, upper, lower, camelCase, snake_case, kebab-case and more, each with its own copy button.

Count words, characters, sentences, paragraphs, lines and more as you type, with estimated reading and speaking time.

Remove duplicate lines from a list or text, keeping the first occurrence. Optionally ignore case and whitespace, or drop blank lines too.

Replace text in two modes: plain find and replace all, or regular expressions with flag controls and capture group references like $1.

Compare two texts and see every added, removed and changed line highlighted, side by side or inline, with the changed words marked within each line. Ignore case, whitespace or blank lines, read a summary of how much changed, and export the result as a unified diff.

Paste a UUID to see what it carries: version, variant, and for time-based versions the exact timestamp, clock sequence and node. Also shows the raw bytes, the 128-bit integer and the URN form.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

Sort the lines of a text alphabetically, naturally, by length, by numeric value or shuffled. Reverse the order with a switch, and optionally trim lines, drop blank lines and remove duplicates in the same pass.

Convert a color between HEX, RGB, HSL, HSV, HWB, CMYK, OKLCH and OKLAB. Type into any field and the others update as you go, or pick the color visually. Reads CSS color syntax and keeps alpha where the format supports it.

Check two colors against the WCAG contrast rules. Type or pick a text and a background color, read the contrast ratio, see which AA and AAA checks pass, preview real text at the sizes WCAG distinguishes, and get suggested fixes when a check fails.

Create a QR code for text, a link, an email, a phone number, an SMS, Wi-Fi access or a contact card. Set the error correction level, size, margin and colors, then download it as PNG or SVG or copy it straight to the clipboard.

Paste a cron expression and get a plain English explanation, a field by field breakdown and the next times it would run, in your local timezone or UTC. Reads five field crontab syntax, six fields with seconds, names like MON and macros like @daily.

Work out an IPv4 or IPv6 network from an address with a prefix or netmask: network and broadcast addresses, usable host range, subnet mask, wildcard mask and address type. Adjust the prefix with a slider, read the binary breakdown, and split the network into smaller subnets.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Encode text for use in URLs or decode percent-escaped strings back to readable text. Choose component, full-URL or form encoding, unwrap double-encoded strings, and break a URL into its parts with every query parameter decoded.

Convert Unix timestamps in seconds, milliseconds, microseconds or nanoseconds to readable dates in your local time, UTC or any timezone, and turn any date back into a timestamp. Shows the live current timestamp and relative time.

Escape text into HTML entities or decode entities back to plain text. Choose named or numeric entities, escape only the unsafe characters or everything outside ASCII, and read the result live.

Paste a JSON Web Token to see its header and payload as formatted JSON, with the token color coded so each part maps to its output. Explains the registered claims, shows expiry as readable dates, flags expired tokens and can verify the signature with a secret or public key.

Compress text or a file with gzip, deflate, brotli or Zstandard and see the size before and after, the compression ratio and how long it took. One click tries every method and recommends the smallest result.

Decompress gzip, deflate, brotli or Zstandard data from a file or pasted Base64 and read the result as text or download it. Detects the format from the magic bytes where possible, with a manual override.

About the JWT Decoder

This tool decodes a JSON Web Token and lays it out so you can read it. The pasted token is color coded by part, and the header and payload appear as formatted JSON in panes carrying the same colors, so every value points back at the characters it came from.

Each claim in the payload is explained in plain language. Timestamps like exp, nbf and iat show as readable dates in local time and UTC, an expired token gets a clear flag, and you can check the signature with a secret or a public key.

What you can do

  • Decode a JWT and read its header and payload as formatted JSON.
  • Check whether a JWT is expired or not yet valid.
  • Understand the registered claims: iss, sub, aud, exp, nbf, iat and jti.
  • Verify an HS256, HS384 or HS512 signature with the shared secret.
  • Verify RS, PS, ES and EdDSA signatures with a PEM or JWK public key.
  • Convert exp and iat timestamps to readable dates.

How to use the JWT Decoder

  1. 1Paste the token. A Bearer prefix, quotes and line breaks are all fine, and the sample token gives you something to explore.
  2. 2Read the decoded header and payload, and copy either as JSON.
  3. 3Check the claims table for what each claim means and whether the token is still valid.
  4. 4To verify the signature, enter the secret for HS tokens or paste the public key for RS, PS, ES and EdDSA tokens, then click Verify signature.
  5. 5Send the decoded payload to the JSON Inspector to explore it as a tree.

Decoding is not verification

Anyone can decode a JWT. The header and payload are just base64url encoded JSON, so reading them proves nothing about who created the token. Trust comes from the signature check, which needs the secret or public key the token was signed with. The tool keeps an unverified notice on screen until a verification actually succeeds.

A token using alg: none carries no signature at all and gets a clear warning. Most libraries reject such tokens, and so should you.

Supported algorithms

HMAC tokens (HS256, HS384, HS512) verify with the shared secret, entered as raw text or Base64. Asymmetric tokens (RS256/384/512, PS256/384/512, ES256/384/512 and EdDSA) verify with the public key, pasted as a PEM block (SPKI or an X.509 certificate) or as a JWK. Private keys are rejected on purpose, since verification only ever needs the public half.

Verify a checksum online: drop a file, paste the expected checksum and see instantly whether they match. The hash type is detected from the checksum itself, covering MD5, SHA-1, SHA-256, SHA-512, BLAKE3, CRC-32 and more, and sha256sum lines or whole checksum files can be pasted as-is.

Hash text or a file with MD5, SHA-1, SHA-256, SHA-512, SHA-3, BLAKE2, BLAKE3, CRC32 and more, all computed live as you type. Compare against an expected checksum and copy any digest.

Decode Base64 to text or encode text to Base64. Paste into the top box, read the result below, and flip the direction with one click. Handles Unicode correctly, reads URL-safe Base64, and shows binary payloads as a hex dump you can download.

See what your clipboard really holds. One press lists every format on it, from plain text and HTML to Excel tables and images, each with its type, size and a preview. Pasting works too, and can reveal even more formats.

Check two colors against the WCAG contrast rules. Type or pick a text and a background color, read the contrast ratio, see which AA and AAA checks pass, preview real text at the sizes WCAG distinguishes, and get suggested fixes when a check fails.

Convert a color between HEX, RGB, HSL, HSV, HWB, CMYK, OKLCH and OKLAB. Type into any field and the others update as you go, or pick the color visually. Reads CSS color syntax and keeps alpha where the format supports it.