Read a JWT without guessing what's inside
A JWT shows up in almost every auth flow you'll touch: OAuth callbacks, session cookies, API tokens. It looks like gibberish, three blocks of characters separated by dots. Each block is plain text in Base64url, not encryption. The JWT Decoder at ToolsUra turns those blocks into readable JSON in one paste.
What a JWT is made of
A token has three parts, split by dots:
- Header: names the algorithm and token type.
- Payload: the claims.
sub,exp,iat,iss,aud, and whatever your app adds. - Signature: the part that proves the token wasn't tampered with.
The decoder shows you the first two. The signature block stays encoded, which is correct: reading a JWT is not the same as verifying it.
Why decode instead of verify
Decoding answers "what does this token say?" Verification answers "can I trust it?" You decode when you're debugging, reading a claim, or checking an expiry. You should never treat a decoded payload as proof of identity on the server side. That verification has to happen with the secret or public key, never in the browser.
The ToolsUra decoder does the read step only. It runs locally and doesn't send your token anywhere.
How to use it
- Copy a JWT from your dev tools, a curl response, or a cookie.
- Paste it into the JWT Decoder.
- Read the header and payload as formatted JSON. Check
expagainst the current time to see if it's stale.
A few things to watch
-
expis a Unix timestamp in seconds. Compare it toDate.now() / 1000, not milliseconds. - A missing or
nullexpmeans the token never expires. That's a finding, not a feature. - Algorithm confusion attacks start with a token whose header says
alg: noneorHS256against an RSA key. The decoder shows you the header so you can spot it.
Related tools
If the payload has Base64 you need to unwrap, the Base64 Encoder/Decoder handles it. For checking token expiry math, the Timestamp Converter turns exp into a real date.
Top comments (0)