A JSON Web Token (JWT) is a compact, URL-safe token made of three base64url-encoded segments — header, payload, and signature — separated by dots. This tool decodes the first two segments in your browser, formats them as readable JSON, checks time-based claims, and surfaces common security issues. Because tokens frequently carry session and identity data, nothing is ever sent to a server.
How the decoder works
A JWT looks like header.payload.signature. The tool:
- Splits the token on
.and confirms there are three segments. - Base64url-decodes the header and payload (converting
-/_back to+//and restoring padding), thenJSON.parses each. - Reads time claims:
exp(expiry) andnbf(not before), both Unix seconds, and compares them to the current time. - Runs security heuristics:
alg: none(unsigned), suspiciously short tokens, and missingissoraudclaims.
The signature segment is shown verbatim but never validated, because real verification needs the signing key — which should never be pasted into any web page.
What the structure check looks at
Beyond just decoding the JSON, the verifier checks whether the token is structurally sound for production use:
| Check | What it flags |
|---|---|
alg: none | Token is unsigned — a critical vulnerability if accepted |
Missing aud claim | Audience not set — token could be replayed across services |
Missing iss claim | Issuer not identified — harder to enforce token origin |
| Token expired | Current time is past exp — should be rejected |
| Token not yet valid | Current time is before nbf — should be rejected |
| Very long expiry | An exp set months or years out is a security smell |
None of these checks validate the signature — only that the claims are present and the timestamps are in range. Always perform cryptographic signature verification on your server before trusting any claim.
Understanding alg: none
The none algorithm means the token has no signature. RFC 7519 defines it as a
valid algorithm, but accepting it in production is a critical security flaw: an
attacker can fabricate any payload, set alg: none, and submit it without a
signature. Any JWT library that accepts none without being explicitly configured
to do so is misconfigured. The tool flags it because it appears in real tokens
encountered during testing and debugging, and every developer who sees it should
understand why it must be blocked.
Tips and common mistakes
- A decoded payload is readable by anyone who has the token. Never store passwords, PII, or secrets in JWT claims — the payload is encoding, not encryption.
- Always verify the signature server-side using an explicit algorithm allow-list.
Reject
none; also reject any algorithm you did not configure (for example, rejectRS256if your system only issuesHS256). - An expired result here may still be accepted on a server with clock-skew tolerance;
the
expcheck here is informational, not definitive. - Short-lived access tokens combined with refresh tokens are safer than long
expiries. If you see an
expset years in the future, that is worth flagging to the issuing team. - Missing
audis the source of a class of bugs where a token minted for one internal service is replayed against another. Setaudand verify it.