Décodeur JWT
JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.
En-tête
Charge utile
Signature
À propos de JWT Decoder
JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.
Comment l'utiliser
- Paste any JWT (the three-part dot-separated string).
- See the decoded header (algorithm, token type) and payload (claims, expiry).
- Check expiration: the tool shows whether the token is expired and how long until expiry.
- View all standard claims (sub, iss, aud, exp, iat, nbf) with human-readable timestamps.
Formule et méthodologie
JWT structure: Base64url(header).Base64url(payload).Base64url(signature). Signature = HMAC-SHA256(base64url(header) + "." + base64url(payload), secret). Base64url differs from Base64: uses - instead of +, _ instead of /, no padding (=). The payload is NOT encrypted — only signed. Anyone can decode and read the claims.
Cas d'usage courants
- Debugging auth issues: checking if claims are correct, token is expired
- API development: verifying the right claims are included in tokens
- Security audit: ensuring sensitive data is not embedded in JWT payload
- Learning: understanding the structure of OAuth 2.0 and OIDC tokens
- Testing: comparing tokens from different environments
Questions fréquentes
Outils connexes
Tous les outils →Intégrer cet outil sur votre site
Gratuit pour usage personnel et commercial. Copiez simplement le code ci-dessous.