فك تشفير JWT

Overview

JSON Web Tokens (JWTs) are the de facto standard for stateless authentication in modern web apps. A JWT is three Base64URL-encoded segments separated by dots: header.payload.signature. The header declares the algorithm; the payload carries claims about the user (sub, exp, iss, custom fields); the signature proves the token wasn't tampered with. This decoder lets you inspect any JWT instantly, verify the signature (if you have the secret or public key), and detect expired or not-yet-valid tokens — all in your browser, never sending the token anywhere.

How It Works

The tool splits the token on dots, Base64URL-decodes the header and payload to JSON, and displays them with syntax highlighting. The third segment (signature) is shown raw. For HS256/384/512 algorithms, paste the shared secret and the tool computes HMAC and compares to the token's signature — a match means the token is authentic. For RS256/RS384/RS512 and ES256/ES384/ES512, paste the public key (PEM format) and the tool verifies using Web Crypto API. Standard claims (exp, iat, nbf) are interpreted into human-readable countdowns.

When to Use This

Debugging authentication issues ('why is my API rejecting this token?'). Inspecting Auth0/Firebase/Supabase tokens to see what claims they carry. Verifying that token expiration works correctly in your app. Understanding what a third-party JWT contains before trusting it. Reverse-engineering an unfamiliar API's auth scheme. Educational: showing students what a JWT actually looks like inside.

Frequently Asked Questions