Dekoder JWT

Tren 🔥

Dekode dan inspeksi token JWT

Alat Developer

Cara Menggunakan Dekoder JWT

  1. 1Tempel token JWT ke kolom input
  2. 2Token akan diurai secara otomatis
  3. 3Tinjau header, payload, dan tanda tangan

Tentang Dekoder JWT

Decoder JWT adalah alat analisis aman yang mendekode JSON Web Token dan menampilkan kontennya dalam format yang dapat dibaca. Ini menampilkan header tanda tangan, payload terenkode, dan tanggal kedaluwarsa.

Fitur Utama Dekoder JWT

  • Decode any JWT and display header, payload, and signature
  • Shows the signing algorithm from the header (HS256, RS256, etc.)
  • Displays expiration (exp), issued-at (iat), and not-before (nbf) as readable dates
  • Highlights expired tokens with a clear visual warning
  • Pretty-printed JSON output for both header and payload
  • Works entirely in-browser — your token is never transmitted
  • Supports all standard JWT structures including nested JWTs
  • One-click copy for the full decoded payload

Contoh

Inspect claims in an OAuth 2.0 access token

View the subject, scopes, and expiration of a token returned by an OAuth authorization server.

Input

eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwic2NvcGUiOiJyZWFkIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature

Output

Header: {"alg":"RS256"} | Payload: {"sub":"user123","scope":"read","exp":"2023-11-14T22:13:20Z"}

Check if a session token has expired

Determine if a JWT from a user session is still valid by inspecting its exp claim.

Input

A JWT with an exp claim set to a past date

Output

Token expired on 2025-01-01 00:00:00 UTC — highlighted in red

Kasus Penggunaan Umum

  • Inspecting OAuth 2.0 access tokens to verify scopes and expiration
  • Debugging authentication failures by checking JWT claims against API requirements
  • Verifying token structure and algorithm when integrating a new identity provider
  • Checking the subject (sub) and issuer (iss) of incoming tokens in API logs
  • Teaching JWT structure and claims in security training and workshops
  • Quickly checking whether a token in a browser DevTools cookie or header has expired

Pemecahan Masalah

Invalid token — token is not a JWT

Solusi

A JWT must have exactly three dot-separated sections (header.payload.signature). Ensure you are pasting the complete token string and have not accidentally trimmed any sections.

Payload shows garbled characters

Solusi

JWT sections are Base64URL encoded (not standard Base64). The decoder handles this automatically. If output is garbled, ensure the token is complete and was not URL-decoded or modified before pasting.

Cannot tell if the token is valid (authentic)

Solusi

Decoding shows the claims but does not verify the signature. Signature verification requires the signing key. Use your application's JWT library to verify the signature server-side.

Pertanyaan yang Sering Diajukan

Is my JWT token safe when using this tool?

Yes. All decoding happens locally in your browser using JavaScript. Your JWT is never sent to any server, stored, or logged. The tool reads only what you paste into the input.

Can it verify JWT signatures?

No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). This tool decodes and displays the header and payload only.

What is a JWT?

A JSON Web Token (JWT) is a compact, URL-safe token format that encodes a set of claims as a JSON object. It consists of three Base64URL-encoded parts: a header (algorithm), a payload (claims), and a signature.

What claims should I look for in a JWT?

Key standard claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Custom claims specific to your application may also be present.

How can I tell if a JWT has expired?

The exp claim contains a Unix timestamp representing when the token expires. This tool converts it to a human-readable date and highlights expired tokens. Compare the expiry to the current time.

What is the difference between HS256 and RS256?

HS256 (HMAC SHA-256) uses a shared secret key for both signing and verification — suitable for internal services. RS256 (RSA SHA-256) uses a private key for signing and a public key for verification — suitable for distributed systems where the verifier cannot hold the signing key.

Can I decode a JWT without a library?

Yes. A JWT is just three Base64URL-encoded JSON strings separated by dots. You can decode any section manually using atob() after replacing URL-safe characters. This tool automates exactly that process.

Should I paste production tokens into online tools?

This tool processes tokens locally in your browser, so they are not transmitted anywhere. However, for sensitive production tokens in high-security environments, consider using a locally-run version or your application's built-in debugging capabilities.