Herramienta browser-only

Decodificador JWT

Inspecciona claims para depuracion, recordando que decodificar no es verificar.

  • Actualizado: 2026-04-30
  • JWT decoding runs locally in your browser. The token is not uploaded by this static page.

Advertencia: decodificar no significa verificar. No pegues tokens de produccion si no confias en este entorno local.

Header y payload decodificados apareceran aqui.

La firma no se verifica en esta herramienta.

Privacidad y limitaciones

JWT decoding runs locally in your browser. The token is not uploaded by this static page.

  • Decoding is not verification. A decoded token can still be forged or expired.
  • Do not paste production access tokens, refresh tokens, or secrets unless you trust the local environment.
  • Signature verification requires trusted keys and issuer-specific validation rules.

Paginas relacionadas

FAQ

Does this verify JWT signatures?

No. It decodes header and payload only. Verification needs trusted keys and issuer rules.

Is it safe to paste production tokens?

Avoid it. Tokens can grant access and may also be stored in browser history or screenshots.

What parts of a JWT are decoded?

The tool decodes the Base64URL header and payload. It shows the signature segment but does not validate it.

Can decoded claims be trusted?

Not without signature, issuer, audience, expiry, and policy validation.

Why provide the tool if tokens are sensitive?

JWT inspection is useful for debugging, but the page must clearly warn about risks and avoid uploading data.