Passer au contenu principal

Décodeur JWT

JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.

En-tête


        

Charge utile


        

Signature

Partager cet outil
Developer Tools

À propos de JWT Decoder

JSON Web Tokens (JWT) are the standard authentication mechanism for modern APIs and SPAs. A JWT looks like an opaque string of characters, but it encodes three Base64url-decoded parts: header (algorithm), payload (claims), and signature. Our decoder lets you inspect the payload instantly — essential for debugging auth issues — without needing to know the secret key.

Comment l'utiliser

  1. Paste any JWT (the three-part dot-separated string).
  2. See the decoded header (algorithm, token type) and payload (claims, expiry).
  3. Check expiration: the tool shows whether the token is expired and how long until expiry.
  4. View all standard claims (sub, iss, aud, exp, iat, nbf) with human-readable timestamps.

Formule et méthodologie

JWT structure: Base64url(header).Base64url(payload).Base64url(signature). Signature = HMAC-SHA256(base64url(header) + "." + base64url(payload), secret). Base64url differs from Base64: uses - instead of +, _ instead of /, no padding (=). The payload is NOT encrypted — only signed. Anyone can decode and read the claims.

Cas d'usage courants

  • Debugging auth issues: checking if claims are correct, token is expired
  • API development: verifying the right claims are included in tokens
  • Security audit: ensuring sensitive data is not embedded in JWT payload
  • Learning: understanding the structure of OAuth 2.0 and OIDC tokens
  • Testing: comparing tokens from different environments

Questions fréquentes

Safe as long as the tool runs client-side (in your browser) without sending the token to a server. Our tool decodes entirely in JavaScript — the token never leaves your browser. Never paste production JWTs containing sensitive claims into external tools that make network requests. When debugging, use a locally-hosted tool or curl to decode: base64 -d <<< "$(echo JWT | cut -d. -f2 | tr _ / | tr - +)".
No — signature verification requires the secret key (HMAC) or public key (RSA/ECDSA). You can decode and read the payload without the secret, but you cannot verify authenticity. This is intentional: the payload is meant to be readable (it's not encrypted), but only the issuer with the secret can produce a valid signature. For RS256 tokens, the public key is often available at the issuer's JWKS endpoint.

Outils connexes

Tous les outils →

Intégrer cet outil sur votre site

Gratuit pour usage personnel et commercial. Copiez simplement le code ci-dessous.