What is a JWT and how do you decode it?
A JSON Web Token (JWT) is a compact, URL-safe token used for authentication and authorization. It has three Base64url-encoded parts separated by dots: header.payload.signature. The header and payload are just JSON — readable by anyone. The signature is what you verify with a secret to ensure nobody tampered with the data.
Why decode a JWT?
Debugging auth flows, inspecting exp / iat timestamps, checking which roles or scopes are embedded, or confirming the algorithm (alg) — these are daily tasks for backend and frontend engineers.
Is it safe to paste tokens here?
Yes — everything runs in your browser. No data is sent to any server. That said, avoid pasting production tokens for long-lived credentials; rotate them after debugging.
Standard JWT Claims
iss Issuer · sub Subject · aud Audience · exp Expiry · nbf Not Before · iat Issued At · jti JWT ID. Any other keys are custom claims.
Signature Verification
Enter your HMAC secret to verify HS256, HS384, or HS512 tokens. RSA/ECDSA (RS256, ES256) require your public key — verification for those runs client-side using Web Crypto API.
Token Expiry Status
The tool auto-checks exp and nbf claims against your local clock, shows a progress bar of how much lifetime remains, and flags expired or not-yet-valid tokens.
alg: none vulnerability
If the header shows "alg": "none", the token has no signature — this is a serious security misconfiguration. Any library accepting alg:none tokens is vulnerable to forgery attacks.