Paste any JSON Web Token to decode its header, payload, and signature. We flag expired tokens, weak algorithms, and the classic alg: none downgrade attack. Everything runs in your browser.
atob() — we never transmit it anywhere. Disconnect your internet and this page still works.
A JSON Web Token (RFC 7519) is three base64url-encoded segments joined with dots: header.payload.signature. The header declares the signing algorithm, the payload carries the claims, and the signature proves the token was issued by someone who holds the signing key.
Decoding a JWT is trivial — it is not encryption, it is encoding. Anyone with the token can read the payload. Do not put secrets, PII beyond what you need, or passwords in the claims. Short-lived tokens + refresh rotation + server-side validation is the baseline.
alg: none downgrade: some buggy libraries will accept a token signed with none as valid. Attackers strip the signature, change the payload, and the server trusts it. If you see alg: none, the token is unauthenticated — reject it.HS256 tokens signed with short or guessable secrets fall to offline brute force. Use keys with at least 256 bits of entropy. For public APIs, prefer asymmetric signing (RS256, ES256, EdDSA).exp claim is in Unix seconds. Check every request — do not rely on the client to drop expired tokens.aud / iss validation: without audience and issuer checks, a valid token from one service can be replayed against another.RS256 → HS256): if the server loads the public key as the HMAC secret, an attacker can sign a forged token with the public key. Pin the algorithm server-side; do not trust the header.This parser does not verify signatures against a key — doing so would require you to paste your signing key into the page, which we refuse to accept. Signature verification belongs in your server. We decode, structurally validate, and call out the classic footguns.
If your codebase has a hundred services and you want to catch "someone hardcoded a JWT secret in a config file" before it ships, you need a continuous scanner. Security Factor 365 includes 81 secret-detection patterns (including JWT secrets, OAuth tokens, and API keys across 20+ vendors) plus SAST rules that catch algorithm: "none" code paths and missing exp validation.
SF365 scans every commit for hardcoded JWT secrets, missing expiration checks, and algorithm-confusion vulnerabilities — in 11 scanner engines running in parallel.
Start Free Trial →