logo
GeekFormat

JWT Decoder

Encoded Token
header
payload
signature
有效的 JWT 格式HS256
Secret
Header
{
  "alg": "HS256",
  "typ": "JWT"
}
Payload
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}
Claims 详解
sub
1234567890
name
John Doe
admin
true
iat
151623902201/18/2018, 09:30:22
Header 详解
algHS256
typJWT

所有操作均在浏览器本地完成,Token 和密钥不会发送到任何服务器

Free online JWT tool for decoding, verifying and generating JWT tokens. View Header, Payload and signature details for API authentication debugging.

Related

HMAC Generator & Verifier

File to Base64

HTTP Request Tester

Base64 Encoder

SQL Formatter

Regex Tester

Use Cases

  • Decode JWT tokens to view user info and permissions in the Payload
  • Verify JWT signature validity and confirm tokens have not been tampered with
  • Debug token issues in login APIs and OAuth authentication flows
  • Generate test JWT tokens for API integration and permission verification

Features

  • Clear JWT structure: view payload, timestamps and field contents at a glance
  • Authentication debugging: login APIs, permission issues and signature verification
  • Search optimized: covers JWT decoder, token and related search terms
  • Direct results: continue debugging expiration, signature and permission fields

How to Use

  1. 1.Paste the JWT token string
  2. 2.The tool automatically parses Header, Payload and signature sections
  3. 3.View decoded results and confirm expiration, user info and permission fields
  4. 4.Generate a new JWT or copy parsed results for debugging as needed

FAQ

How do I decode a JWT token online?

Paste the JWT and instantly view Header, Payload and time-related fields. Perfect for quickly confirming user info, permissions and expiration times.

What scenarios is a JWT tool useful for?

Login authentication debugging, API integration, OAuth setup, permission troubleshooting and signature verification are all common use cases.

What do payload, exp and iat mean in a JWT?

Payload contains the data, usually including user info and permission fields. exp is the expiration time and iat is the issued-at time. Understanding these fields helps determine if a token is expired or misconfigured.

Does decoding a JWT mean it is verified?

No. Decoding only lets you see the contents. Verification also involves checking the algorithm, signature and key match, which is an important distinction.