TFT

Decode & Validate JWT Tokens Instantly

Paste any JWT to decode its contents and verify its signature. Our free tool instantly shows the header, payload, and validation status, checking for expiration, issuer, and algorithm security. Ensure your tokens are valid and secure before using them in your applications.

How the JWT Decoder and Validator Works

This tool decodes JSON Web Tokens (JWTs) client-side, displaying the header and payload in readable JSON format. It also verifies the signature using your secret key or public key, helping you confirm token authenticity.

Decoding Process

  1. Paste your JWT token (the three-part base64url-encoded string)
  2. The tool splits the token into header, payload, and signature segments
  3. Each segment is decoded from base64url to reveal the JSON content
  4. Header shows the algorithm (alg) and token type (typ)
  5. Payload displays claims like sub, exp, iat, and custom data
  6. Optionally verify the signature by providing the secret or public key

Specific Use Cases

Debugging Authentication Issues

A developer's login works but API calls fail with "invalid token". They decode the JWT to check if the exp claim has passed or if the sub claim matches the expected user ID.

Security Audit of Token Contents

A security engineer reviews what sensitive data is stored in JWTs. They discover email addresses and roles are included and recommend removing unnecessary claims to reduce token size and exposure.

Verifying Third-Party Tokens

An integration engineer receives JWTs from an OAuth provider. They decode tokens to understand the claim structure and map them to their application's user model.

Testing Token Expiration Behavior

A QA engineer generates test tokens with different exp values to verify their application correctly handles expired tokens, tokens about to expire, and fresh tokens.

Algorithm Security Review

A security analyst checks if any tokens use the "none" algorithm (a known vulnerability) or weak algorithms. The tool highlights algorithm security levels with visual indicators.

What to Know Before Using This Tool

Important considerations when decoding and validating JWTs:

  • All decoding happens client-side - tokens are never sent to any server
  • Signature verification requires the exact secret key or matching public key
  • HS256/HS384/HS512 use HMAC with a shared secret key
  • RS256/ES256 use asymmetric keys - you need the public key to verify
  • The "none" algorithm is insecure and should never be used in production
  • Time claims (exp, iat, nbf) are Unix timestamps in seconds
  • Expired tokens show a visual warning with "(EXPIRED)" indicator

Frequently Asked Questions

What are the three parts of a JWT?

A JWT consists of: Header (algorithm and token type), Payload (claims/data), and Signature (verification hash). They're separated by dots: header.payload.signature. Each part is base64url-encoded.

Why does signature verification fail?

Common causes: wrong secret key, token was modified after signing, using public key for HMAC verification, or the token uses a different algorithm than expected. Verify you're using the correct key for the algorithm.

What does "alg: none" mean?

The "none" algorithm means the token has no signature - anyone can create or modify it. This is a critical security vulnerability. Never accept tokens with alg:none in production systems.

How do I read the exp and iat claims?

These are Unix timestamps (seconds since Jan 1, 1970). The tool converts them to readable dates. "exp" is expiration time - the token is invalid after this. "iat" is issued-at time.

Can I decode a JWT without the secret key?

Yes, decoding the header and payload doesn't require the key - they're just base64-encoded, not encrypted. However, you need the key to verify the signature and confirm the token hasn't been tampered with.

Is it safe to paste my JWT into this tool?

The tool runs entirely in your browser - tokens never leave your device. However, avoid pasting production tokens with sensitive data. Use test tokens or tokens from development environments when possible.

What's the difference between HS256 and RS256?

HS256 uses HMAC with a shared secret - both signer and verifier have the same key. RS256 uses RSA - the signer has a private key, and anyone with the public key can verify. RS256 is better for distributed systems where you can't share secrets.

Other Free Tools

JWT Generator & Signer

Generate & Sign Custom JWT Tokens

JWT Debugger & Tester

Debug & Test JWT Tokens Step-by-Step

JWT Secret & Key Generator

Generate JWT Secrets & Key Pairs

JWT Claim Extractor & Formatter

Extract & Format JWT Claims

JWT Expiry Checker & Timestamp Converter

Check JWT Expiry & Convert Timestamps

ASCII to Hex Converter

ASCII to Hex Converter: Text to Hexadecimal Translator

Barcode Generator

Free Barcode Generator

Binary to Text Converter

Binary to Text Converter

Free Printable Calendar Maker

Create & Print Your Custom Calendar

Pie Chart Maker

Free Pie Chart Maker Online