Does this verify the signature?

No. Signature verification requires the shared secret (HS*) or public key (RS*/ES*), which should never be pasted into a public web tool.

Is pasting a production token safe?

Decoding runs entirely in your browser — nothing is uploaded. Even so, avoid pasting long-lived or highly privileged tokens; rotate if in doubt.

A JWT header claiming no signature. Any library that accepts alg:none is critically vulnerable — always reject it server-side.

Testers

Paste a JSON Web Token to decode its header, payload, and signature. Everything runs in your browser — your token is never sent to a server.

Signature is not verified — this tool only decodes the token. Do not use this to validate trust.

JWT Token

Paste a JWT above to decode it

How to decode a JWT

Paste a JWT to inspect its header, payload, and expiry claims. The token never leaves your browser.

Paste the token
Paste the full JWT (three dot-separated parts: header.payload.signature).
Inspect the header
Check the alg and typ claims. Be suspicious of alg:none or unexpected algorithms.
Inspect the payload
Review iss, sub, aud, exp, iat, and custom claims. Expiry is shown in human-readable form.
Verify separately
This tool does not verify the signature (that requires the secret). Use your backend or a signing library for verification.

? Does this verify the signature?: No. Signature verification requires the shared secret (HS*) or public key (RS*/ES*), which should never be pasted into a public web tool.
? Is pasting a production token safe?: Decoding runs entirely in your browser — nothing is uploaded. Even so, avoid pasting long-lived or highly privileged tokens; rotate if in doubt.
? What is alg:none?: A JWT header claiming no signature. Any library that accepts alg:none is critically vulnerable — always reject it server-side.