JWT Decoder and Validator
Paste a JSON Web Token to see its content, the claim dates, security checks and verify the signature. Everything happens in your browser โ the token is never sent to any server.
Header
Payload
Highlighted claims
๐ก๏ธ Security checks
Verify signature
๐งช Demo: alg:none attack
Some misconfigured servers accept alg:none (no signature), allowing tokens to be forged. Generate the unsigned version of this payload to test whether your API rejects it (it should reject it).
Frequently asked questions
What is a JWT?
A JSON Web Token is a token format used for authentication and exchanging information. It has 3 parts separated by dots: header, payload and signature, each encoded in Base64URL. The content is not encrypted โ only signed โ so anyone can read it.
Is decoding safe? Does my token leak?
Here it is: everything happens in your browser, the token is never sent to any server. Even so, avoid pasting valid production tokens into tools you do not control.
What is the alg:none attack?
It is when a token uses the "none" algorithm (no signature). If the server accepts it, an attacker can forge any payload. A secure API must reject tokens with alg:none and always validate the signature.
How do I verify the signature?
For HS256/384/512, provide the secret. For RS*/ES*/PS*, paste the public key (PEM). Verification uses the browser's Web Crypto API.
โ Enjoying the tools? They are free, no sign-up and no limits. If they helped you, consider buying me a coffee โ that is what keeps Ferramentai online and new tools coming. Any amount helps a lot. ๐