JWT 解碼器

即時解碼和檢查 JSON Web 令牌

JWT 解碼器是用於解碼、解析和檢查 JSON Web 令牌 (JWT) 的免費線上工具。即時查看令牌標頭、有效負載、簽名和聲明。調試 OAuth 2.0、OpenID Connect 和現代 Web 應用程式中使用的身份驗證和授權令牌。完全在瀏覽器中工作,完全保護隱私 - 令牌永遠不會發送到我們的伺服器。

How to Use JWT Decoder

Decoding JWT tokens is simple and instant:

Step 1: Paste Your JWT Token
Paste your complete JWT token into the input field. JWT tokens typically start with 'eyJ' and contain three parts separated by dots (header.payload.signature).
Step 2: Automatic Decoding
The token is automatically decoded and parsed in real-time. No need to click any button - results appear instantly as you paste.
Step 3: Inspect Token Parts
View the decoded header (algorithm, type), payload (claims, expiration, issued-at), and signature. Each part is displayed in formatted JSON for easy reading and debugging.

All JWT decoding and parsing happens locally in your browser using JavaScript. Your tokens never leave your device and are never sent to our servers, ensuring complete privacy and security.

form.title

JWT Token Input

使用場景

usecases.intro

API認證除錯

當API請求因認證錯誤失敗時，解碼JWT檢查過期時間、簽發者和受眾聲明，以確定根本原因。

安全稽核

檢查應用程式中使用的JWT，驗證敏感資料是否未在負載中暴露，以及是否使用了適當的演算法。

開發與測試

在開發過程中，快速驗證產生的權杖是否包含正確的聲明、角色和權限，然後再進行整合測試。

權杖過期分析

檢查'exp'和'iat'聲明以了解權杖有效期，並排查應用程式中的工作階段逾時問題。

學習JWT結構

JWT新手學生和開發人員可以視覺化三部分結構（標頭、負載、簽名），更好地理解基於權杖的認證運作原理。

什麼是JWT（JSON Web Token）？

JWT（JSON Web Token）是一種開放標準（RFC 7519），用於以JSON物件的形式在各方之間安全地傳輸資訊。它緊湊、URL安全，廣泛用於現代Web應用程式的認證和資訊交換。

三部分結構

JWT由三個用點分隔的部分組成：標頭（演算法和權杖類型）、負載（聲明和資料）和簽名（驗證雜湊）。每個部分都經過Base64URL編碼以確保安全傳輸。

常見用途

JWT主要用於認證（登入工作階段）、授權（存取控制）和服務之間的安全資訊交換。它們是無狀態的，無需伺服器端工作階段儲存。

安全注意事項

雖然JWT經過簽名以防止竄改，但負載只是編碼而非加密。切勿在JWT中儲存密碼等敏感資料。始終在伺服器端驗證簽名，並使用HTTPS進行傳輸。

Frequently Asked Questions (FAQ)

What is the difference between decoding and verifying a JWT?

Decoding means extracting and reading the header and payload from the token using Base64Url decoding - anyone can do this. Verifying means checking the signature to ensure the token wasn't tampered with - this requires the secret key or public key. Our tool only decodes tokens; signature verification must be done on your secure server.

Is it safe to paste my JWT token here?

Our tool processes tokens entirely in your browser - nothing is sent to servers. However, you should still be cautious with production tokens. For maximum security, only use test/development tokens, or use this tool offline by saving the webpage locally.

Why does my JWT start with 'eyJ'?

All JWTs start with 'eyJ' because the header JSON (typically {"alg":"HS256","typ":"JWT"}) begins with '{"' which Base64Url encodes to 'eyJ'. This is a reliable indicator that a string is a JWT token.

Can this tool verify JWT signatures?

No, signature verification requires the secret key (HMAC algorithms) or public key (RSA/ECDSA algorithms). Entering these keys into an online tool would be a serious security risk. Always verify signatures on your own secure servers using trusted libraries.

What does 'exp' mean in the payload?

The 'exp' (expiration) claim is a Unix timestamp indicating when the token expires. Tokens should be rejected after this time. For example, 'exp': 1735689600 means the token expires on January 1, 2025 at 00:00:00 UTC.

My token has three dots instead of two. Is it valid?

Standard JWTs have exactly two dots separating three parts (header.payload.signature). Extra dots indicate the token may be malformed, double-encoded, or not a standard JWT. Check your token generation code.

Can I use this tool for OAuth 2.0 tokens?

Yes! OAuth 2.0 access tokens and ID tokens (from OpenID Connect) are often JWTs. You can decode them to view user information, scopes, expiration times, and other claims. However, some OAuth providers use opaque tokens (random strings) which cannot be decoded.

What is the 'none' algorithm and why is it dangerous?

The 'none' algorithm means the token has no signature. If a server accepts tokens with 'alg': 'none', attackers can forge tokens by creating header/payload with any claims and no signature. Secure systems should always reject tokens with the 'none' algorithm.