JWT 解码器

即时解码和检查 JSON Web 令牌

JWT 解码器是用于解码、解析和检查 JSON Web 令牌 (JWT) 的免费在线工具。即时查看令牌标头、有效负载、签名和声明。调试 OAuth 2.0、OpenID Connect 和现代 Web 应用程序中使用的身份验证和授权令牌。完全在浏览器中工作,完全保护隐私 - 令牌永远不会发送到我们的服务器。

How to Use JWT Decoder

Decoding JWT tokens is simple and instant:

Step 1: Paste Your JWT Token
Paste your complete JWT token into the input field. JWT tokens typically start with 'eyJ' and contain three parts separated by dots (header.payload.signature).
Step 2: Automatic Decoding
The token is automatically decoded and parsed in real-time. No need to click any button - results appear instantly as you paste.
Step 3: Inspect Token Parts
View the decoded header (algorithm, type), payload (claims, expiration, issued-at), and signature. Each part is displayed in formatted JSON for easy reading and debugging.

All JWT decoding and parsing happens locally in your browser using JavaScript. Your tokens never leave your device and are never sent to our servers, ensuring complete privacy and security.

form.title

JWT Token Input

使用场景

usecases.intro

API认证调试

当API请求因认证错误失败时，解码JWT检查过期时间、颁发者和受众声明，以确定根本原因。

安全审计

检查应用程序中使用的JWT，验证敏感数据是否未在负载中暴露，以及是否使用了适当的算法。

开发与测试

在开发过程中，快速验证生成的令牌是否包含正确的声明、角色和权限，然后再进行集成测试。

令牌过期分析

检查'exp'和'iat'声明以了解令牌有效期，并排查应用程序中的会话超时问题。

学习JWT结构

JWT新手学生和开发人员可以可视化三部分结构（头部、负载、签名），更好地理解基于令牌的认证工作原理。

什么是JWT（JSON Web Token）？

JWT（JSON Web Token）是一种开放标准（RFC 7519），用于以JSON对象的形式在各方之间安全地传输信息。它紧凑、URL安全，广泛用于现代Web应用程序的认证和信息交换。

三部分结构

JWT由三个用点分隔的部分组成：头部（算法和令牌类型）、负载（声明和数据）和签名（验证哈希）。每个部分都经过Base64URL编码以确保安全传输。

常见用途

JWT主要用于认证（登录会话）、授权（访问控制）和服务之间的安全信息交换。它们是无状态的，无需服务器端会话存储。

安全注意事项

虽然JWT经过签名以防止篡改，但负载只是编码而非加密。切勿在JWT中存储密码等敏感数据。始终在服务器端验证签名，并使用HTTPS进行传输。

Frequently Asked Questions (FAQ)

What is the difference between decoding and verifying a JWT?

Decoding means extracting and reading the header and payload from the token using Base64Url decoding - anyone can do this. Verifying means checking the signature to ensure the token wasn't tampered with - this requires the secret key or public key. Our tool only decodes tokens; signature verification must be done on your secure server.

Is it safe to paste my JWT token here?

Our tool processes tokens entirely in your browser - nothing is sent to servers. However, you should still be cautious with production tokens. For maximum security, only use test/development tokens, or use this tool offline by saving the webpage locally.

Why does my JWT start with 'eyJ'?

All JWTs start with 'eyJ' because the header JSON (typically {"alg":"HS256","typ":"JWT"}) begins with '{"' which Base64Url encodes to 'eyJ'. This is a reliable indicator that a string is a JWT token.

Can this tool verify JWT signatures?

No, signature verification requires the secret key (HMAC algorithms) or public key (RSA/ECDSA algorithms). Entering these keys into an online tool would be a serious security risk. Always verify signatures on your own secure servers using trusted libraries.

What does 'exp' mean in the payload?

The 'exp' (expiration) claim is a Unix timestamp indicating when the token expires. Tokens should be rejected after this time. For example, 'exp': 1735689600 means the token expires on January 1, 2025 at 00:00:00 UTC.

My token has three dots instead of two. Is it valid?

Standard JWTs have exactly two dots separating three parts (header.payload.signature). Extra dots indicate the token may be malformed, double-encoded, or not a standard JWT. Check your token generation code.

Can I use this tool for OAuth 2.0 tokens?

Yes! OAuth 2.0 access tokens and ID tokens (from OpenID Connect) are often JWTs. You can decode them to view user information, scopes, expiration times, and other claims. However, some OAuth providers use opaque tokens (random strings) which cannot be decoded.

What is the 'none' algorithm and why is it dangerous?

The 'none' algorithm means the token has no signature. If a server accepts tokens with 'alg': 'none', attackers can forge tokens by creating header/payload with any claims and no signature. Secure systems should always reject tokens with the 'none' algorithm.