فك تشفير JWT

فك تشفير وفحص رموز الويب JSON (JWT). عرض الرأس والحمولة والتوقيع.

0 حرف

ما هو فك تشفير JWT؟

فك تشفير JWT (رمز الويب JSON) هو أداة تفك تشفير وتعرض محتويات رموز JWT. تُستخدم رموز JWT بشكل شائع للمصادقة وتبادل المعلومات في تطبيقات الويب. تساعدك هذه الأداة على فحص محتويات JWT دون التحقق من التوقيع.

Essential Uses of JWT Decoding

  • Debugging Authentication Issues: When authentication fails or behaves unexpectedly, decode the JWT to see what claims it contains. Check if user ID (sub) is correct, if roles/permissions are present, if expiration (exp) has passed, or if custom claims match expectations. For example, if a user reports "access denied," decode their JWT to verify their roles claim contains the required permission. This instantly reveals whether the issue is token generation (missing claims) or authorization logic (incorrect permission checks).
  • API Development and Testing: When building or testing APIs that use JWT authentication, decode tokens to verify the API is generating correct JWTs. Check that claims are formatted properly, expiration times are reasonable, and custom claims (user metadata, permissions) are included. Tools like Postman and Insomnia show JWTs in requests. Decoding them helps you understand what the API is actually sending and receiving.
  • seo.jwt_decoder.use_security seo.jwt_decoder.use_security_desc
  • Token Expiration Checking: JWTs contain an exp (expiration) claim as a Unix timestamp. Decode a token to check when it expires. Convert the timestamp to human-readable date/time to see if the token is still valid or has expired. This is crucial when debugging "token expired" errors. Decode the token, check the exp claim, compare to current time. Many authentication issues are simply expired tokens.
كيفية استخدام فك تشفير JWT هذا

seo.jwt_decoder.how_desc

  • الصق رمز JWT الخاص بك في حقل الإدخال أعلاه.
  • انقر على زر "فك تشفير JWT".
  • اعرض الرأس والحمولة والتوقيع المفكوكة في حقل الإخراج.
  • استخدم زر "نسخ النتيجة" لنسخ المحتوى المفكوك.

seo.jwt_decoder.how_example

JWT: The Modern Authentication Standard

تم تعريف رموز الويب JSON (JWT) في RFC 7519 (2015). توفر JWT طريقة مضغوطة وآمنة لعنوان URL لتمثيل المطالبات بين طرفين. تتكون من ثلاثة أجزاء مشفرة بـ Base64URL: الرأس والحمولة والتوقيع. تُستخدم JWT على نطاق واسع في تطبيقات الويب الحديثة وواجهات برمجة التطبيقات للمصادقة والترخيص.

ملاحظة أمنية مهمة

Decoding a JWT shows its contents but does not verify its authenticity. Always verify JWT signatures on the server before trusting the payload data. تعرف على أمان الترميز

فك تشفير JWT في لغات البرمجة

لدى معظم اللغات مكتبات JWT لفك تشفير والتحقق من الرموز. إليك الأمثلة (فك التشفير فقط، بدون التحقق):

// Using firebase/php-jwt (decode without verification)
use Firebase\JWT\JWT;
$parts = explode('.', $token);
$header = json_decode(JWT::urlsafeB64Decode($parts[0]));
$payload = json_decode(JWT::urlsafeB64Decode($parts[1]));

// With verification (recommended for production)
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
try {
    $decoded = JWT::decode($token, new Key($secret, 'HS256'));
    // Token is valid and verified
} catch (Exception $e) {
    // Token invalid or expired
}

// Browser or Node.js: Decode without verification
function decodeJWT(token) {
    const parts = token.split('.');
    const header = JSON.parse(atob(parts[0]));
    const payload = JSON.parse(atob(parts[1]));
    return { header, payload };
}

// Using jsonwebtoken library (Node.js)
const jwt = require('jsonwebtoken');
const decoded = jwt.decode(token); // No verification

// With verification (recommended)
try {
    const verified = jwt.verify(token, secret);
    // Token is valid
} catch (err) {
    // Token invalid or expired
}

import jwt
import json
import base64

# Decode without verification
def decode_jwt(token):
    parts = token.split('.')
    header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
    payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
    return header, payload

# Using PyJWT (decode without verification)
decoded = jwt.decode(token, options={"verify_signature": False})

# With verification (recommended)
try:
    verified = jwt.decode(token, secret, algorithms=["HS256"])
    # Token is valid
except jwt.ExpiredSignatureError:
    # Token expired
except jwt.InvalidTokenError:
    # Token invalid

import (
    "encoding/base64"
    "encoding/json"
    "strings"
)

// Decode without verification
func decodeJWT(token string) (map[string]interface{}, error) {
    parts := strings.Split(token, ".")
    payload, _ := base64.RawURLEncoding.DecodeString(parts[1])
    var claims map[string]interface{}
    json.Unmarshal(payload, &claims)
    return claims, nil
}

// Using golang-jwt/jwt with verification
import "github.com/golang-jwt/jwt/v5"
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    return []byte(secret), nil
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
    // Token verified and valid
}

// Using java-jwt (Auth0)
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

// Decode without verification
DecodedJWT jwt = JWT.decode(token);
String subject = jwt.getSubject();
Date expiresAt = jwt.getExpiresAt();

// With verification (recommended)
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.JWTVerifier;
try {
    Algorithm algorithm = Algorithm.HMAC256(secret);
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    // Token is valid
} catch (Exception e) {
    // Token invalid
}

require 'jwt'

# Decode without verification
decoded = JWT.decode(token, nil, false)
payload = decoded[0]
header = decoded[1]

# With verification (recommended)
begin
  decoded = JWT.decode(token, secret, true, { algorithm: 'HS256' })
  payload = decoded[0]
  # Token is valid
rescue JWT::ExpiredSignature
  # Token expired
rescue JWT::DecodeError
  # Token invalid
end

using System.IdentityModel.Tokens.Jwt;

// Decode without verification
var handler = new JwtSecurityTokenHandler();
var jwtToken = handler.ReadJwtToken(token);
var claims = jwtToken.Claims;
var expiration = jwtToken.ValidTo;

// With verification (recommended)
using Microsoft.IdentityModel.Tokens;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(secret);
try {
    var principal = tokenHandler.ValidateToken(token,
        new TokenValidationParameters {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(key),
            ValidateIssuer = false,
            ValidateAudience = false
        }, out SecurityToken validatedToken);
    // Token is valid
} catch {
    // Token invalid
}

Related Tools

JWTs use Base64URL encoding. Use our Base64 Decoder to decode individual JWT parts if needed.

JWT payloads are JSON. After decoding, use our JSON Formatter to beautify the decoded JSON for easier reading.

Passing JWTs in URLs? Ensure they're URL-encoded with our URL Encoder to handle special characters safely.