JWT Decoder/ Client-side

Instantly decode JWT header and payload, view expiry and standard claims. Token never leaves your browser.

JWT Token

Вставьте JWT-токен выше для декодирования.

Токен не покидает ваш браузер.

Этот инструмент решил вашу проблему?

Что такое JWT

JWT (JSON Web Token) — это компактный, безопасный для URL формат токена из трёх частей: Header (информация об алгоритме), Payload (утверждения/данные) и Signature (подпись).主要用于 используется для аутентификации — сервер выпускает JWT, клиент включает его в запросы, а服务器验证 подпись без обращений к базе данных.

Соображения безопасности JWT

Никогда не храните конфиденциальные данные (пароли, номера кредитных карт) в JWT payload — они仅仅是 Base64-кодированы и читаемы任何ым. Подпись保证 только完整性 данных, не конфиденциальность. Всегда используйте HTTPS, устанавливайте合理ное время жизни (15 минут до 1 часа рекомендуется) и реализуйте ротацию токенов обновления.

Code Examples

JavaScript (jsonwebtoken)
import jwt from 'jsonwebtoken';

// Sign
const token = jwt.sign(
  { sub: 'user_123', role: 'admin' },
  process.env.JWT_SECRET,
  { expiresIn: '1h' }
);

// Verify
const payload = jwt.verify(
  token, process.env.JWT_SECRET
);
Python (PyJWT)
import jwt

# Sign
token = jwt.encode(
    {"sub": "user_123", "exp": exp_ts},
    secret,
    algorithm="HS256"
)

# Verify
payload = jwt.decode(
    token, secret,
    algorithms=["HS256"]
)
Go (golang-jwt)
import "github.com/golang-jwt/jwt/v5"

// Sign
token := jwt.NewWithClaims(
  jwt.SigningMethodHS256,
  jwt.MapClaims{"sub": "user_123"},
)
signed, _ := token.SignedString(secret)

// Verify
parsed, _ := jwt.Parse(signed,
  func(t *jwt.Token) (any, error) {
    return secret, nil
  })
Decode only (any language)
// JWT = base64url(header)
//       + "."
//       + base64url(payload)
//       + "."
//       + signature

function decodeJwt(token) {
  const [h, p] = token.split('.');
  const decode = s => JSON.parse(
    atob(s.replace(/-/g,'+')
          .replace(/_/g,'/'))
  );
  return { header: decode(h),
           payload: decode(p) };
}

Frequently Asked Questions

What is a JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information as a JSON object. It consists of three Base64URL-encoded parts separated by dots: Header (algorithm & token type), Payload (claims), and Signature.
Can a JWT be forged?
The payload is only Base64URL-encoded — anyone can decode and read it. However, the signature cannot be forged without the secret key. JWT security relies entirely on signature verification; sensitive data should not be stored in the payload unless you use JWE (encrypted JWT).
What are exp, iat, and nbf?
These are standard JWT claims: exp (Expiration Time) is when the token expires; iat (Issued At) is when it was issued; nbf (Not Before) means the token is invalid before that time. All timestamps are Unix time (seconds since epoch).
Why can't signature verification be done in the browser?
Verification requires the secret key (for HMAC algorithms) or public key (for RSA/ECDSA). In a pure frontend context, these keys are typically unavailable. Signature verification should always be performed server-side in production.
What's the difference between HS256 and RS256?
HS256 (HMAC-SHA256) uses a single shared secret for both signing and verification — suitable for single-service setups. RS256 (RSA-SHA256) uses a private key to sign and a public key to verify — better for microservices where the public key can be distributed safely.
Is my token safe to paste here?
Yes. This tool runs entirely in your browser with no network requests — your token never leaves your device. That said, for production tokens containing sensitive claims, exercise caution and rotate them if you suspect exposure.

Related Tools

64

Base64 Encode/Decode

Encode and decode Base64 for text and files

#

Hash Generator

Generate MD5, SHA1, SHA256, SHA512 hashes client-side

{}

JSON Formatter

Format, validate and compare JSON data