Decode and inspect JWT token Header and Payload
JWT (JSON Web Token) is a compact, URL-safe token format for securely transmitting claims between parties. It's widely used for stateless authentication and authorization — the server issues a token without storing sessions, and the client includes it with each request for identity verification.
Header.Payload.Signature| Part | Content | Encoding |
|---|---|---|
| Header | Algorithm type {"alg":"HS256","typ":"JWT"} |
Base64URL |
| Payload | Claims: iss sub exp iat + custom fields |
Base64URL |
| Signature | HMAC(header + "." + payload, secret) |
Raw bytes |
The Payload is Base64-encoded, not encrypted — anyone can decode it. Never store passwords or sensitive data in it.
exp expiration time · iat issued at · sub subject · iss issuer · nbf not before · aud audience · jti unique identifier
| Algorithm | Type | Notes |
|---|---|---|
| HS256 | Symmetric | HMAC + SHA-256, suitable for single services |
| RS256 | Asymmetric | RSA + SHA-256, ideal for microservices/third-party verification |
| ES256 | Asymmetric | ECDSA + SHA-256, shorter keys, better performance |
exp), issuer is correct (iss), or algorithm matcheseyJ)No. The Header and Payload are simply Base64URL-encoded — anyone can decode and read them. The secret key is only needed to verify the signature (confirm the token hasn't been tampered with). This tool focuses on decoding, not signature verification.
Possible causes: the server has clock skew tolerance configured, a Refresh Token is automatically renewing access, or the server isn't properly validating the exp field. Check server-side logs to confirm the actual validation logic.
alg: "none" mean?It indicates an unsigned JWT. This is a known security vulnerability — attackers may change alg to none to bypass signature verification. Production environments must explicitly reject the none algorithm on the server side.