TOOLS / JWT DECODER
JWT Decoder & Validator
Paste a JSON Web Token. We decode the header, payload, and signature locally — nothing is sent to the server. Flags alg: none, expired tokens, and weak algorithms.
What it does
JSON Web Tokens (JWT) are everywhere — OAuth flows, API authentication, session cookies. Reading them when troubleshooting is essential. Our decoder splits the three Base64URL-encoded parts (header.payload.signature), parses the JSON in each, and surfaces security-relevant flags: the dreaded alg: none bypass, expired tokens (exp in the past), weak HMAC algorithms. Everything happens in your browser; the token never touches our server.
How to use it
- Copy a JWT from your application — they look like xxx.yyy.zzz, three Base64URL chunks separated by dots.
- Paste into the input box.
- Click "Decode JWT".
- Review the header (algorithm used), payload (claims like exp, iat, sub), and signature.
- Look at the security-flag panel — red flags indicate vulnerabilities the issuer must fix.
Common use cases
OAuth debugging
When an OAuth flow returns an unexpected response, decode the access_token to see the embedded claims and audience.
API troubleshooting
A backend rejects your token? Decode it locally to verify the claims match what the API expects (correct iss, aud, scope).
Penetration testing
During a web app pentest, decode JWTs found in cookies/localStorage to find the algorithm + claim structure before attempting forgery.
Bug-bounty research
Flag JWTs using alg=none, RS256-vs-HS256 confusion, or missing exp claims in vendor implementations.
Frequently asked questions
Is my token sent to your server? +
No. The entire decode runs in your browser’s JavaScript engine. Network panel will show zero requests to our backend.
What is alg=none? +
A historical JWT bug — some libraries accept a JWT with header alg: "none" and treat it as valid without verifying the signature. Attackers can forge tokens by setting alg=none and leaving the signature empty.
How do I tell if my token is expired? +
The exp claim is a Unix timestamp. If it’s less than current time, the token is expired. Our decoder shows you this explicitly.
Can I verify the signature? +
Not without the secret/public key. Decoders surface the header/payload; signature verification requires the issuer’s key. We may add this in the future.
HS256 vs RS256? +
HS256 = HMAC with a shared secret (symmetric). RS256 = RSA signing (asymmetric). RS256 is preferred when many parties need to verify; HS256 is fine for single-party use.
Related tools
Encoder / Decoder
Base64, hex, URL, HTML, ROT13, binary — converted live as you type. All in your browser.
Hash Generator
MD5, SHA-1, SHA-256, SHA-384, SHA-512. Computed in your browser — input never leaves your device.
HTTP Security Headers Checker
Graded A–F. Tests HSTS, CSP, X-Frame-Options, Referrer-Policy, Permissions-Policy, COOP/COEP/CORP.
Related coverage on Ciphers Security
- Instructure Removed from ShinyHunters' Leak Site as Canvas Breach Deadline Passes
- Costa Rica Joins Have I Been Pwned as the 42nd Government
- LummaC2 Infostealer Targets US Critical Infrastructure: CISA-FBI Advisory AA25-141B and DOJ Domain Seizures
- MacSync Stealer: Hackers Abuse Google Ads and Claude.ai Chats to Push Mac Malware
- JDownloader Site Hacked, Installers Swapped with Python RAT Malware
Free for everyone, no signup required. Tool runs at /tools/jwt-decoder/ — bookmark or share.