DEV Community

ToolSura
ToolSura

Posted on • Originally published at toolsura.com

Read a JWT without guessing what's inside

Read a JWT without guessing what's inside

A JWT shows up in almost every auth flow you'll touch: OAuth callbacks, session cookies, API tokens. It looks like gibberish, three blocks of characters separated by dots. Each block is plain text in Base64url, not encryption. The JWT Decoder at ToolsUra turns those blocks into readable JSON in one paste.

What a JWT is made of

A token has three parts, split by dots:

  • Header: names the algorithm and token type.
  • Payload: the claims. sub, exp, iat, iss, aud, and whatever your app adds.
  • Signature: the part that proves the token wasn't tampered with.

The decoder shows you the first two. The signature block stays encoded, which is correct: reading a JWT is not the same as verifying it.

Why decode instead of verify

Decoding answers "what does this token say?" Verification answers "can I trust it?" You decode when you're debugging, reading a claim, or checking an expiry. You should never treat a decoded payload as proof of identity on the server side. That verification has to happen with the secret or public key, never in the browser.

The ToolsUra decoder does the read step only. It runs locally and doesn't send your token anywhere.

How to use it

  1. Copy a JWT from your dev tools, a curl response, or a cookie.
  2. Paste it into the JWT Decoder.
  3. Read the header and payload as formatted JSON. Check exp against the current time to see if it's stale.

A few things to watch

  • exp is a Unix timestamp in seconds. Compare it to Date.now() / 1000, not milliseconds.
  • A missing or null exp means the token never expires. That's a finding, not a feature.
  • Algorithm confusion attacks start with a token whose header says alg: none or HS256 against an RSA key. The decoder shows you the header so you can spot it.

Related tools

If the payload has Base64 you need to unwrap, the Base64 Encoder/Decoder handles it. For checking token expiry math, the Timestamp Converter turns exp into a real date.

Try it: toolsura.com/tools/json-web-token-jwt-decoder

Top comments (0)