تخطى إلى المحتوى الرئيسي

فك تشفير JWT

JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.

الرأس


        

الحمولة


        

التوقيع

شارك هذه الأداة
Developer Tools

حول JWT Decoder

JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.

كيفية الاستخدام

  1. Paste any JWT (the three-part dot-separated string).
  2. See the decoded header (algorithm, token type) and payload (claims, expiry).
  3. Check expiration: the tool shows whether the token is expired and how long until expiry.
  4. View all standard claims (sub, iss, aud, exp, iat, nbf) with human-readable timestamps.

الصيغة والمنهجية

JWT structure: Base64url(header).Base64url(payload).Base64url(signature). Signature = HMAC-SHA256(base64url(header) + "." + base64url(payload), secret). Base64url differs from Base64: uses - instead of +, _ instead of /, no padding (=). The payload is NOT encrypted — only signed. Anyone can decode and read the claims.

حالات الاستخدام الشائعة

  • Debugging auth issues: checking if claims are correct, token is expired
  • API development: verifying the right claims are included in tokens
  • Security audit: ensuring sensitive data is not embedded in JWT payload
  • Learning: understanding the structure of OAuth 2.0 and OIDC tokens
  • Testing: comparing tokens from different environments

الأسئلة الشائعة

Safe as long as the tool runs client-side (in your browser) without sending the token to a server. Our tool decodes entirely in JavaScript — the token never leaves your browser. Never paste production JWTs containing sensitive claims into external tools that make network requests. When debugging, use a locally-hosted tool or curl to decode: base64 -d <<< "$(echo JWT | cut -d. -f2 | tr _ / | tr - +)".
No — signature verification requires the secret key (HMAC) or public key (RSA/ECDSA). You can decode and read the payload without the secret, but you cannot verify authenticity. This is intentional: the payload is meant to be readable (it's not encrypted), but only the issuer with the secret can produce a valid signature. For RS256 tokens, the public key is often available at the issuer's JWKS endpoint.

أدوات ذات صلة

كل الأدوات →

دمج هذه الأداة في موقعك

مجاني للاستخدام الشخصي والتجاري. فقط انسخ الكود أدناه.