início/dev/jwt

JWT Decoder Online

Decode & inspect JSON Web Tokens

Security Note

JWTs are encoded, not encrypted. Anyone who has the token can see the payload. Never store sensitive secrets like user passwords in a JWT.

Como usar JWT Decoder

  1. 1

    Paste your JWT

    Enter the full JWT string (header.payload.signature) in the input field.

  2. 2

    Inspect claims

    The decoded header and payload are displayed with formatted JSON and human-readable timestamps.

  3. 3

    Check expiration

    Expiration and issued-at timestamps are converted to readable local dates automatically.

Perguntas frequentes

Is my data safe?
Yes. All processing happens entirely in your browser. Your data never leaves your device and is never uploaded to any server.
Does this tool verify JWT signatures?
No. This tool decodes and displays JWT contents only. Signature verification requires the signing secret (for HMAC) or the public key (for RSA/ECDSA), which the tool deliberately does not accept to avoid handling sensitive credentials.
Is it safe to paste my JWT here?
Yes. The token is decoded entirely in your browser using JavaScript and is never sent to any server. However, as a general security practice, revoke and rotate tokens that may have been exposed, even if you trust the tool.
What does 'alg: none' in the header mean?
'alg: none' means the JWT has no signature and should be rejected by any properly configured server. If you see this in a production token, it indicates a critical security misconfiguration.
Why does the expiration time look wrong?
JWT timestamps (exp, iat, nbf) are in Unix seconds, not milliseconds. The decoded date is shown in UTC — your local timezone offset may make it appear different from what you expect.

Saiba mais

O que é JWT Decoder?

Decode and inspect JSON Web Tokens (JWTs) instantly without sending them to a server. View the decoded header, payload claims, and raw signature in a readable, formatted layout. Expiration (exp), issued-at (iat), and not-before (nbf) timestamps are automatically converted to human-readable dates so you can instantly check whether a token is expired or not yet valid. Paste any JWT — all decoding happens locally in your browser. Safe for inspecting access tokens, refresh tokens, and identity tokens in development.

Por que usar JWT Decoder?

  • Instantly decode any JWT to inspect claims without writing code or using curl commands.
  • Timestamps are converted to readable dates — immediately see if a token is expired or when it was issued.
  • Completely private — the token never leaves your browser. Safe to use with real tokens during development and debugging.
  • Displays all three JWT sections — header (algorithm and type), payload (claims), and raw signature.
  • No account needed — paste your JWT and see the contents in one second.

Casos de uso de JWT Decoder

Debugging authentication issues

When a user reports an authentication error, decode their JWT to check whether the token is expired, issued for the right audience, or missing required claims.

API development

Verify that your auth server is issuing JWTs with the correct claims, roles, and expiration times during development and testing.

Security review

Inspect JWTs used in a system to verify the signing algorithm (alg) is not 'none' and that claims like iss and aud are properly set.

Third-party service integration

Decode JWTs from OAuth providers (Google, GitHub, Auth0) to see what user information is included and which claims are available to your application.

Dicas e boas práticas

  • 💡A JWT has three parts separated by dots: header.payload.signature. If you only have two parts, it is likely a Base64-encoded token rather than a JWT.
  • 💡The 'exp' claim is a Unix timestamp in seconds (not milliseconds). The decoded date shown is in UTC — account for timezone when checking expiration.
  • 💡The 'alg' field in the header tells you the signing algorithm. Always verify it is not 'none' in production — 'none' means no signature verification.
  • 💡JWTs are not encrypted by default — anyone with the token can decode and read the payload. Never store sensitive data like passwords or SSNs in JWT claims.

Como funciona

JWT decoding splits the token on '.' delimiters and Base64url-decodes each segment using atob() with character substitution for '+'/'-' and '/'/'-' differences. The header and payload JSON is then parsed and pretty-printed. No cryptographic verification is performed — signature validation requires the secret or public key, which the tool deliberately does not accept to avoid handling sensitive credentials. Expiration and timestamp fields are converted using new Date(value * 1000) since JWT timestamps are in seconds, not milliseconds.

Mais Ferramentas para Desenvolvedores

JSON Formatter JSON Validator JSON Minifier Base64 Regex Tester Gerador de Hash Codificador/Decodificador de URL Entidades HTML UUID Generator Timestamp Unix Base Numérica Código para Imagem Minificador HTML/CSS/JS Diferença de Código CSS Gradient Generator Box Shadow Generator Glassmorphism Generator Flexbox Generator CSS Grid Generator Clip-Path Generator Gerador de Dados Falsos Cron Expression Generator SQL Formatter XML Formatter CSV Viewer Conversor de Fuso Horário Conversor de Cores JSON para CSV YAML para JSON