Free JWT Inspector & Decoder
Decode a JSON Web Token to inspect its header, payload, claims and expiry, and flag weak settings like alg:none. Free and private — runs in your browser.
About this tool
JSON Web Tokens (JWTs) are everywhere in modern authentication, but they're easy to misconfigure in ways that undermine security. This free JWT inspector decodes a token's header and payload, shows its claims and expiry in readable form, and flags dangerous settings — like the alg:none vulnerability, missing expiry, or overly long-lived tokens.
Decoding is not the same as verifying: a JWT's payload is only Base64-encoded, not encrypted, so anyone holding the token can read it — a useful reminder never to put secrets in a JWT. The tool runs locally in your browser, so you can safely inspect tokens during development and debugging without sending them anywhere.
Frequently asked questions
Is it safe to paste a JWT here?
Decoding happens entirely in your browser and the token is never transmitted. Still, treat real access tokens as secrets — only paste tokens you're comfortable handling, and never share a live token publicly.
What is the alg:none vulnerability?
Some libraries will accept a JWT whose header sets the algorithm to 'none', meaning the signature isn't verified at all. An attacker can then forge tokens. The inspector flags this so you can ensure your verifier rejects unsigned tokens.
Can I read a JWT's contents without the secret?
Yes — the header and payload are only Base64URL-encoded, not encrypted, so anyone can read them. The signing secret only protects integrity (whether the token was tampered with), not confidentiality. Never store sensitive data in a JWT payload.