JWT Decoder
Paste a JWT token to instantly decode the Header, Payload, and Signature — and check its expiry status
- Paste your full JWT token into the input area above.
- Click "Decode", or the token is decoded automatically when you paste.
- Inspect the Header (algorithm and token type) and Payload (user data and claims).
- Check the expiry badge: green means valid, red means expired.
- Use the Copy button on each section to copy that JSON block.
Note: This tool only decodes — it does not verify signatures.
When would you use this?
- When debugging an API and you want to quickly read the JWT payload.
- When you need to confirm that a token has not expired, or that the expiry is set correctly.
- When you want to see which signing algorithm is used in the Header alg field.
Is decoding the same as verification?
No. Decoding only reverses the Base64URL encoding to reveal the JSON content — anyone can do that. Verification requires checking the cryptographic signature using a server-side secret or public key, which this tool does not do.
Is my token sent to a server?
No. All decoding happens locally in your browser. The token is never transmitted anywhere.
Why are the timestamps in the Payload shown as numbers?
JWT uses Unix timestamps (seconds since 1970-01-01 00:00:00 UTC) for time fields such as iat, exp, and nbf. This tool automatically converts them to human-readable dates.
What does alg: none mean?
It means the token has no signature, so anyone can forge it. This is a serious security risk. Production systems should always reject tokens with alg: none.
Base64 Guide: How It Works, When to Use It, and Common Pitfalls
Base64 appears in APIs, JWTs, emails, and data URLs, but it is not encryption. This practical guide explains the mechanics, trade-offs, and real-world usage patterns you should know.
Why Does Garbled Text Happen? A Complete Guide to ASCII, Unicode & UTF-8 Encoding
Opened a file only to find it full of gibberish characters? Or had an API return Chinese text as „??" — these are all the result of character encoding mismatches. This guide covers the full history from ASCII to Unicode, why UTF-8 became the global standard, and how to permanently eliminate garbled text in your projects.
JSON Complete Guide: From Data Structures to Practical API Design
JSON is the common language of modern web services. This guide covers syntax, data modeling, validation, security, and performance patterns for production-ready JSON workflows.
How Do Computers Generate Random Numbers? Pseudo-Random, True Random, and Cryptographically Secure Random Explained
Computers are deterministic machines — they fundamentally cannot be "truly random." This article fully explains how pseudo-random number generators (PRNGs) like LCG and Mersenne Twister work, how true randomness is harvested from entropy sources, why cryptographically secure random numbers (CSPRNG) matter, and why Math.random() must never be used for password generation.
The SHA Family: SHA-1, SHA-256, and SHA-3 Explained
SHA is not a single algorithm — it is a family. This guide covers why SHA-1 is broken, how SHA-256 became the modern standard, what makes SHA-3 architecturally different, and how to choose the right version for your use case.
What Is MD5? Hash Function Principles, Collision Risks, and When to Use It
MD5 is a widely used hash function that converts data of any length into a fixed 128-bit digest. This guide explains how MD5 works, its known security vulnerabilities, and which scenarios still make sense for MD5 versus when you should use a stronger algorithm.