Browser-only инструмент

JWT декодер

Просматривайте claims токена для отладки, но помните: decode не равен verify.

  • Обновлено: 2026-04-30
  • JWT decoding runs locally in your browser. The token is not uploaded by this static page.

Внимание: декодирование не равно верификации. Не вставляйте production токены, если не доверяете локальной среде.

Здесь появятся header и payload.

Подпись этим инструментом не проверяется.

Приватность и ограничения

JWT decoding runs locally in your browser. The token is not uploaded by this static page.

  • Decoding is not verification. A decoded token can still be forged or expired.
  • Do not paste production access tokens, refresh tokens, or secrets unless you trust the local environment.
  • Signature verification requires trusted keys and issuer-specific validation rules.

Связанные страницы

FAQ

Does this verify JWT signatures?

No. It decodes header and payload only. Verification needs trusted keys and issuer rules.

Is it safe to paste production tokens?

Avoid it. Tokens can grant access and may also be stored in browser history or screenshots.

What parts of a JWT are decoded?

The tool decodes the Base64URL header and payload. It shows the signature segment but does not validate it.

Can decoded claims be trusted?

Not without signature, issuer, audience, expiry, and policy validation.

Why provide the tool if tokens are sensitive?

JWT inspection is useful for debugging, but the page must clearly warn about risks and avoid uploading data.