JWT Decoder
Decode header and claims, sanity-check expiry and algorithm.
Runs entirely in your browser — the token is never transmitted anywhere. Verify with DevTools: zero network requests on decode.
How it works
A JWT is three Base64URL segments: header.payload.signature. This tool decodes the
first two locally, pretty-prints the JSON, converts exp/iat/nbf
timestamps to human-readable dates, and flags risky patterns — alg: none, expired
tokens, and long-lived tokens. It does not verify the signature (that requires the
key); a decoded token is not a validated token.
FAQ
Is it safe to paste a production token here?
The decode is fully client-side, so nothing is uploaded — but treat live tokens like passwords anyway: prefer expired or test tokens when you can.
Why is alg: none flagged?
Historic implementations accepted unsigned tokens when the header claimed none,
letting attackers forge arbitrary claims. Any modern library should reject it; seeing it in the
wild is a red flag.
From the channel
Secure Your Google Account Before Your Phone Gets Hijacked
Watch on The Exploit HQ — cyber threat intel in 60 seconds ▸