BBuildQuill
أدوات المطوّرين

فاكّ ترميز JWT

Decode and inspect JWT tokens instantly in your browser. No data is sent to any server.

كيفية استخدام فاكّ ترميز JWT

1

Paste your JWT

Copy and paste a JWT token string into the input field.

2

Inspect the decoded output

The header and payload are decoded and formatted as JSON instantly.

3

Check expiry status

The tool highlights whether the token is still valid or has expired.

What is a JWT and how does this decoder work?

A JSON Web Token (JWT) is a compact, signed token used to pass identity and claims between a client and a server. It has three parts separated by dots: a header, a payload, and a signature. The header and payload are Base64URL-encoded JSON, which means anyone can read them. The signature proves the token was issued by a trusted party and was not changed.

This decoder splits a token, Base64URL-decodes the header and payload, and shows the JSON along with useful details like the algorithm, the issued-at time, and whether the token has expired. Everything happens in your browser, so the token never leaves your device.

  • Decode the JWT header and payload into formatted JSON
  • See the signing algorithm and token type from the header
  • Check expiration status with issued-at and expires-at times
  • Inspect all standard and custom claims
  • Copy any section with one click
  • Fully client-side, so tokens are never sent to a server

What each part of a JWT contains

The header names the algorithm (such as HS256 or RS256) and the token type. The payload holds the claims, which are statements about the user and the token, including registered claims like sub (subject), iat (issued at), exp (expiry), and any custom claims your app adds. The signature is a hash of the header and payload created with a secret or private key.

Decoding is not the same as verifying

Decoding only reads the header and payload, which are not encrypted, just encoded. Verifying checks the signature against the secret or public key to confirm the token is authentic and untampered. Verification needs the key and is a server-side operation, so this tool decodes and inspects but does not verify the signature.

Common claims and what they mean

iss is the issuer, aud is the intended audience, sub is the subject (usually a user id), exp is the Unix timestamp when the token expires, and iat is when it was issued. If exp is in the past, the token is expired and most servers will reject it. This decoder converts those timestamps into readable dates for you.

الأسئلة الشائعة

Is my JWT sent to a server?
No. The token is decoded entirely in your browser with JavaScript. It never leaves your device, which makes it safe to inspect tokens that contain sensitive claims.
Can I verify the signature here?
No. Verifying a signature requires the secret or public key and is done server-side. This tool decodes and inspects the readable header and payload only.
Why can anyone read my JWT payload?
The payload is Base64URL-encoded, not encrypted. Encoding only changes the format, so never put secrets like passwords in a JWT payload. The signature protects integrity, not confidentiality.
How do I know if a token is expired?
The decoder reads the exp claim, converts it to a readable date, and shows whether the token is still valid or has expired based on the current time.
What is the difference between HS256 and RS256?
HS256 signs with a single shared secret, while RS256 signs with a private key and verifies with the matching public key. The algorithm is shown in the decoded header.

أدوات ذات صلة

مشفّر/فاكّ ترميز Base64

Encode text to Base64 or decode Base64 strings back to text.

مشفّر/فاكّ ترميز URL

Encode or decode URLs and query parameters for safe transmission.

مشفّر/فاكّ ترميز Base32

Encode text to Base32 or decode Base32 strings back to text instantly.

مشفّر/فاكّ ترميز Base58

Encode text to Base58 or decode Base58 strings back to text. Popular in Bitcoin addresses.

تحويل كيانات HTML إلى نص

Convert HTML entities back to readable text.

تحويل Base64 إلى JSON

Decode Base64 string back to JSON data.