Decodificatore JWT
Ispeziona i token
Informazioni su questo strumento
Decode JSON Web Tokens to inspect their header and payload. JWTs are the standard way to carry authentication and authorization claims between services - and they're just three Base64-encoded JSON parts joined by dots. Privvert decodes them locally so you can read what's inside.
Highlights important fields (issuer, subject, audience, expiry, issued-at) and warns when a token is expired. Optionally verifies an HMAC-signed token if you provide the secret. Decoding happens in your browser - production tokens never go anywhere else.
Funzionalità
- Decode header and payload to formatted JSON
- Highlights iss, sub, aud, exp, iat, nbf, jti claims
- Expiry / not-before validation with clear warnings
- Optional HMAC signature verification (HS256/HS384/HS512)
- Algorithm identification from the header
- Browser-only - tokens never uploaded
- Free and unlimited
Come si usa
- Paste a JWT (header.payload.signature).
- Read the decoded header and payload.
- (Optional) paste the HMAC secret to verify the signature.
Tutto avviene all'interno del tuo browser con JavaScript e WebAssembly. I tuoi file non vengono mai caricati su un server, mai memorizzati e mai visti da noi.
Domande frequenti
Decoding doesn't reveal anything secret on its own - JWT payloads are plain Base64 that anyone can decode. The signature secret is what proves the token wasn't tampered with. Still, treat production tokens as credentials and don't paste them into untrusted tools.
Currently HMAC-based algorithms (HS256/HS384/HS512). RSA and ECDSA verification (RS/ES algorithms) require the public key - that's on the roadmap.
Trusting the alg field in the header. Always pin the expected algorithm server-side; never let the token's own header decide which verification method to use.
Check the exp claim (Unix seconds). Compare to your current Unix time - clock skew between issuer and verifier can also cause near-expiry tokens to fail.