JWTデコーダー
トレンド 🔥JWTトークンをデコード・検査
JWTデコーダー の使い方
- 1入力フィールドに JWT トークンを貼り付ける
- 2トークンは自動的に即座に解析される
- 3ヘッダー、ペイロード、署名を確認
JWTデコーダー について
JWT デコーダーは JSON Web Token をデコードし、読みやすい形式でコンテンツを表示する安全な分析ツールです。署名ヘッダー、エンコードされたペイロード、有効期限を表示します。
JWTデコーダーの主な機能
- Decode any JWT and display header, payload, and signature
- Shows the signing algorithm from the header (HS256, RS256, etc.)
- Displays expiration (exp), issued-at (iat), and not-before (nbf) as readable dates
- Highlights expired tokens with a clear visual warning
- Pretty-printed JSON output for both header and payload
- Works entirely in-browser — your token is never transmitted
- Supports all standard JWT structures including nested JWTs
- One-click copy for the full decoded payload
使用例
Inspect claims in an OAuth 2.0 access token
View the subject, scopes, and expiration of a token returned by an OAuth authorization server.
入力
eyJhbGciOiJSUzI1NiJ9.eyJzdWIiOiJ1c2VyMTIzIiwic2NvcGUiOiJyZWFkIiwiZXhwIjoxNzAwMDAwMDAwfQ.signature
出力
Header: {"alg":"RS256"} | Payload: {"sub":"user123","scope":"read","exp":"2023-11-14T22:13:20Z"}Check if a session token has expired
Determine if a JWT from a user session is still valid by inspecting its exp claim.
入力
A JWT with an exp claim set to a past date
出力
Token expired on 2025-01-01 00:00:00 UTC — highlighted in red
主な使用ケース
- Inspecting OAuth 2.0 access tokens to verify scopes and expiration
- Debugging authentication failures by checking JWT claims against API requirements
- Verifying token structure and algorithm when integrating a new identity provider
- Checking the subject (sub) and issuer (iss) of incoming tokens in API logs
- Teaching JWT structure and claims in security training and workshops
- Quickly checking whether a token in a browser DevTools cookie or header has expired
トラブルシューティング
Invalid token — token is not a JWT
解決策
A JWT must have exactly three dot-separated sections (header.payload.signature). Ensure you are pasting the complete token string and have not accidentally trimmed any sections.
Payload shows garbled characters
解決策
JWT sections are Base64URL encoded (not standard Base64). The decoder handles this automatically. If output is garbled, ensure the token is complete and was not URL-decoded or modified before pasting.
Cannot tell if the token is valid (authentic)
解決策
Decoding shows the claims but does not verify the signature. Signature verification requires the signing key. Use your application's JWT library to verify the signature server-side.
よくある質問
Is my JWT token safe when using this tool?
Yes. All decoding happens locally in your browser using JavaScript. Your JWT is never sent to any server, stored, or logged. The tool reads only what you paste into the input.
Can it verify JWT signatures?
No. Signature verification requires the secret key (for HMAC algorithms) or the public key (for RSA/ECDSA algorithms). This tool decodes and displays the header and payload only.
What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format that encodes a set of claims as a JSON object. It consists of three Base64URL-encoded parts: a header (algorithm), a payload (claims), and a signature.
What claims should I look for in a JWT?
Key standard claims include: sub (subject/user ID), iss (issuer), aud (audience), exp (expiration time), iat (issued at), and nbf (not before). Custom claims specific to your application may also be present.
How can I tell if a JWT has expired?
The exp claim contains a Unix timestamp representing when the token expires. This tool converts it to a human-readable date and highlights expired tokens. Compare the expiry to the current time.
What is the difference between HS256 and RS256?
HS256 (HMAC SHA-256) uses a shared secret key for both signing and verification — suitable for internal services. RS256 (RSA SHA-256) uses a private key for signing and a public key for verification — suitable for distributed systems where the verifier cannot hold the signing key.
Can I decode a JWT without a library?
Yes. A JWT is just three Base64URL-encoded JSON strings separated by dots. You can decode any section manually using atob() after replacing URL-safe characters. This tool automates exactly that process.
Should I paste production tokens into online tools?
This tool processes tokens locally in your browser, so they are not transmitted anywhere. However, for sensitive production tokens in high-security environments, consider using a locally-run version or your application's built-in debugging capabilities.