Free JWT Decoder & Security Analyzer
Decode a JSON Web Token in your browser and analyze it for security weaknesses — the alg:none unsigned-token risk, missing or expired exp, sensitive data in the (unencrypted) payload, and the full decoded header and claims. The token never leaves your browser.
What this jwt decoder checks
How it works
In-browser· the token never leaves your browser- 1You paste a JWT; we base64url-decode the header and payload entirely in your browser using JavaScript.
- 2We flag alg:none (forgeable), a missing or expired exp, sensitive data sitting in the (unencrypted) payload, and detect encrypted JWE tokens.
- 3Nothing is uploaded, logged or stored — and we never ask for your signing secret, so we do not verify the signature.
Why it matters
JWTs are everywhere in modern auth, and their failure modes are subtle: accepting alg:none lets attackers forge tokens, a missing exp means a leaked token is valid forever, and developers routinely forget the payload is only base64-encoded — fully readable by anyone holding the token.
Frequently asked questions
Is the JWT decoder safe to use?
Yes — decoding happens entirely in your browser with JavaScript. The token is never sent to our servers, logged or stored.
Does it verify the signature?
No. Verifying a JWT signature requires the signing secret (HMAC) or public key (RSA/EC), which you should never paste into a website. We decode and analyze the structure and claims; verify the signature in your own backend.
Why does it warn about data in the payload?
A JWT payload is base64url-encoded, not encrypted. Anyone who has the token can read every claim — so passwords, API keys and PII must never be placed in it.