Does Toova verify the JWT signature?

No. Verification requires the signing key, which only the issuer holds. Toova decodes the header and payload so you can inspect the claims, but trusting the token still requires server-side verification with the secret or public key.

Is my token sent anywhere?

No. The decoder runs entirely in your browser. The token never leaves your device, and there are zero outbound network requests during decoding. Open DevTools and verify it yourself.

Can I decode an expired token?

Yes. The decoder works regardless of expiry. It flags the token as expired and shows when the exp claim passed, which helps when debugging why a request was rejected.

What does the alg field tell me?

It identifies the signing algorithm — HS256 for HMAC-SHA256, RS256 for RSA, ES256 for ECDSA, and so on. If alg is "none" the token is unsigned, which is almost always a security bug.

Why are the timestamps numbers?

JWT claims use Unix epoch seconds. Toova translates iat, nbf, and exp to your local timezone so you can read them, while keeping the raw value visible for reference.

JWT Decoder — Decode and Inspect JSON Web Tokens

Decode a JWT (JSON Web Token) and inspect its header and payload without sending the token anywhere. Toova shows the algorithm, claims, issue and expiry timestamps in human form, and flags tokens that are already expired — all locally, in your browser.

Why decode JWTs locally

Every other JWT decoder asks you to paste the token into a remote form. The problem is obvious — if the token is valid, whoever runs that server can impersonate you. Toova decodes the token entirely in your browser, with no upload and no logging. You can paste a production access token, inspect the claims, and verify it is shaped correctly without leaking it to a third party.

What you see in the decoded output

Toova splits the token into header, payload, and signature. The header shows the algorithm and key ID. The payload is pretty-printed JSON with every standard claim (iss, sub, aud, exp, nbf, iat, jti) converted to readable form. Timestamps are translated to your local timezone and the tool flags whether the token is currently valid, expired, or not yet active.

Decode only, never trust

Decoding a JWT is not the same as verifying it. The decoder shows you what the token claims to be, but it does not check the signature — that requires the signing key, which lives on the server that issued the token. Use Toova to debug claim structure, expiry, and audience values; use your auth library to verify trust before granting access.

Frequently Asked Questions

Does Toova verify the JWT signature?: No. Verification requires the signing key, which only the issuer holds. Toova decodes the header and payload so you can inspect the claims, but trusting the token still requires server-side verification with the secret or public key.
Is my token sent anywhere?: No. The decoder runs entirely in your browser. The token never leaves your device, and there are zero outbound network requests during decoding. Open DevTools and verify it yourself.
Can I decode an expired token?: Yes. The decoder works regardless of expiry. It flags the token as expired and shows when the exp claim passed, which helps when debugging why a request was rejected.
What does the alg field tell me?: It identifies the signing algorithm — HS256 for HMAC-SHA256, RS256 for RSA, ES256 for ECDSA, and so on. If alg is "none" the token is unsigned, which is almost always a security bug.
Why are the timestamps numbers?: JWT claims use Unix epoch seconds. Toova translates iat, nbf, and exp to your local timezone so you can read them, while keeping the raw value visible for reference.

JWT Decoder & Inspector

Why decode JWTs locally

What you see in the decoded output

Decode only, never trust

Frequently Asked Questions