Does this verify the JWT signature?

No. The tool decodes the header and payload (which are Base64URL, not encrypted) and runs a structural audit on the claims. Signature verification requires the shared secret (for HS-algorithms) or the public key (for RS / ES algorithms), neither of which we have. To verify signatures, do it in your backend against your own key, or in jwt.io with the secret filled in locally.

Where is the token processed?

Entirely in your browser. The token never leaves your device and never hits our server. Open DevTools and watch the Network tab: clicking Decode fires no `/api/*` request.

What does the security audit check?

Critical issues like `alg=none` (a famous historical bypass), missing or expired `exp`, a `kid` header with path-traversal characters (`..`, `file://`), external `jku` or `x5u` references, symmetric-algorithm warning (HS*), missing standard claims (iss, aud, jti), suspicious lifetime (longer than 30 days, longer than 1 year), and PII detection (passwords, refresh_tokens, SSNs, and other things that should never be inside a JWT).

The audit says CRITICAL but my API accepts the token. Bug?

Not a bug. The audit flags potential design weaknesses, not whether the receiving server validates them. A server may accept `alg=none` (broken), a token that never expires (risky), or a token carrying a refresh_token in the payload (PII leak): all 'accepted' but all bad practice. The audit warns you so the design can be fixed before it gets exploited.

I get 'Invalid characters detected'. Why?

JWTs are Base64URL with three parts separated by dots: only `a-z`, `A-Z`, `0-9`, `-`, `_`, `.` are valid. Quotes, angle brackets, HTML, or surrounding URL context contain forbidden characters. Trim to just the token before pasting.

Free, client-side only, no server cost so no formal rate limit. A local 1-second debounce prevents accidental rapid clicks. Max input 20 KB.

WEB

JWT Decoder

Client-side Expert JWT Analysis

Input

JWT Token

🔒 Client-Side SecurityEverything is processed locally in your browser. Your tokens are never sent to any server.

Decode and Debug JSON Web Tokens (JWT) directly in your browser. Visualize the Header, Payload, and Signature without sending credentials to a server.

Terminal

Console ready. Execute a command to see output...

About JWT Decoder

Stateless Authentication

JSON Web Tokens (JWT) are the standard for modern API authentication. They are self-contained tokens that hold claims about a user (ID, Role, Expiry).

Security Analysis

This tool not only decodes but analyzes critical security risks.

Alg: None: A well-known critical vulnerability where signature checking is completely bypassed.
Weak Secrets: Usage of short simple passwords (like "secret") for signing tokens allows attackers to forge their own admin tokens.
Information Leakage: JWTs are just Base64 encoded, not encrypted. Putting PII (Social Security Numbers, Emails) in them is dangerous because anyone intercepting the token can read it.
Expiry: Visual timeline of when the token becomes invalid.

How to use JWT Decoder

Paste your JWT
Paste the token into the textarea. Whitespace and newlines are stripped automatically.
Hit Decode
Header, payload, and audit run in your browser, no network request is made.
Read the result
Token status (valid / expired / not active yet), security verdict (SAFE / WARNING / RISKY / CRITICAL), security score with a progress bar, timeline, audit findings with remediation hints, and full header and payload tables.
Act on the findings
Fix what the audit flags in your token issuer. For actual signature verification, run it against your secret or public key locally.

Frequently Asked Questions

: No. The tool decodes the header and payload (which are Base64URL, not encrypted) and runs a structural audit on the claims. Signature verification requires the shared secret (for HS-algorithms) or the public key (for RS / ES algorithms), neither of which we have. To verify signatures, do it in your backend against your own key, or in jwt.io with the secret filled in locally.