Issue
Sign In
StepCodex FeaturedStepCodex Reviews
Notion Docs

Parse JWT tokens locally. Free online tool, no login, no sign-up.

LocalPersonal data security

Loading Tool Engine

Usage Guide & Tech FAQ

Usage Guide

  1. Paste the full JWT (`header.payload.signature`); some tools also accept header.payload for read-only decoding.
  2. Verify `alg`, `typ`, `kid`, and time claims (`exp`/`nbf`/`iat`)—timestamps are seconds, not milliseconds.
  3. For verification, supply the correct public key/JWK and algorithm; wrong keys fail verification even if the token is valid.
  4. Cross-check `aud`/`iss`/`sub` with your app’s expectations to avoid “decodable but not authorized” mistakes.
  5. Redact internal URLs, emails, PII, and fine-grained scopes before copying into docs or chats.
  6. If parsing fails, check for a `Bearer ` prefix, newlines, URL-encoding leftovers, or “smart quotes” from messengers.
  7. For expiry issues, confirm whether the verifier disables checks, has clock skew, or caches old tokens.
  8. Compare the raw string with parsed parts—HTML escaping, truncation, or spaces around dots break JWTs.
  9. Agree whether dev environments allow `none` for testing; production must enforce `alg` at the gateway/resource server.
  10. When filing bugs, note browser version, paste source, and options used so others can reproduce.
  11. Read the title and description first to confirm this utility matches your task (avoid using the wrong tool and misinterpreting output).
  12. Paste or type input in the editor; if a sample/template is provided, load it first to learn the expected output shape.

Related Tech Knowledge

  • Common JWTs are JWS: Base64URL(JSON) header/payload; the payload is encoded, not encrypted.
  • Decoding happens in browser memory—don’t leave production tokens in recordings or public docs.
  • `alg=none` and algorithm confusion (e.g., misusing RSA public keys as HMAC secrets) are classic server-side pitfalls.
  • Base64URL differs from standard Base64 (`+/` and padding); don’t mix decoders when eyeballing bytes.
  • JWE (often five segments) is not the same as JWS; a JWS-focused tool may not decrypt JWE payloads.
  • Key rotation relies on `kid` to pick verification keys; define a fallback policy if `kid` is missing.
  • Nested JWTs embed another token inside claims—unwrap and verify layer by layer.
  • With OAuth2/OIDC, separate access_token vs id_token responsibilities, audiences, and validation rules.
  • Logging full JWTs leaks sessions; prefer `jti`/hashes or heavily redacted previews in production logs.
  • This page helps development; issuance/validation in production should use audited libraries and policies.
  • Core parsing and computation run in your browser; by default your raw business payload is not persisted to this site’s servers (see on-page privacy notes).
  • The pipeline is typically: read input → parse (lexical/syntactic/structured) → transform → render; failures aim to be diagnosable.