Decodificador JWT

Decodifica e inspecciona tokens web JSON (JWT). Visualiza encabezado, carga útil y firma.

Texto de Entrada:

0 caracteres

Salida:

¿Qué es un Decodificador JWT?

Un decodificador JWT (JSON Web Token) es una herramienta que decodifica y muestra el contenido de tokens JWT. Los JWT se usan comúnmente para autenticación e intercambio de información en aplicaciones web. Esta herramienta te ayuda a inspeccionar el contenido de JWT sin verificar la firma.

Essential Uses of JWT Decoding

Debugging Authentication Issues: When authentication fails or behaves unexpectedly, decode the JWT to see what claims it contains. Check if user ID (sub) is correct, if roles/permissions are present, if expiration (exp) has passed, or if custom claims match expectations. For example, if a user reports "access denied," decode their JWT to verify their roles claim contains the required permission. This instantly reveals whether the issue is token generation (missing claims) or authorization logic (incorrect permission checks).
API Development and Testing: When building or testing APIs that use JWT authentication, decode tokens to verify the API is generating correct JWTs. Check that claims are formatted properly, expiration times are reasonable, and custom claims (user metadata, permissions) are included. Tools like Postman and Insomnia show JWTs in requests. Decoding them helps you understand what the API is actually sending and receiving.
seo.jwt_decoder.use_security seo.jwt_decoder.use_security_desc
Token Expiration Checking: JWTs contain an exp (expiration) claim as a Unix timestamp. Decode a token to check when it expires. Convert the timestamp to human-readable date/time to see if the token is still valid or has expired. This is crucial when debugging "token expired" errors. Decode the token, check the exp claim, compare to current time. Many authentication issues are simply expired tokens.

Cómo Usar Este Decodificador JWT

seo.jwt_decoder.how_desc

Pega tu token JWT en el campo de entrada superior.
Haz clic en el botón "Decodificar JWT".
Visualiza el encabezado, carga útil y firma decodificados en el campo de salida.
Usa el botón "Copiar Resultado" para copiar el contenido decodificado.

seo.jwt_decoder.how_example

JWT: The Modern Authentication Standard

JWT was standardized as RFC 7519 in 2015, but the concept emerged earlier from OAuth 2.0 and OpenID Connect specifications. JWTs solved a critical problem: how to authenticate users in stateless APIs without server-side sessions. Traditional session authentication requires storing session data on the server and looking it up on every request. JWTs flip this model: all authentication information is in the token itself (self-contained), allowing servers to verify authenticity without database lookups. This makes JWTs perfect for microservices, serverless architectures, and distributed systems. Today, JWTs are used by virtually every modern authentication system: Auth0, Firebase, AWS Cognito, Keycloak, and countless custom implementations.

Nota de Seguridad Importante

Decoding a JWT shows its contents but does not verify its authenticity. Always verify JWT signatures on the server before trusting the payload data. Learn about encoding security

JWT Decoding in Programming Languages

Most programming languages have JWT libraries for decoding and verifying tokens. Here are examples (decode only, without verification):

// Using firebase/php-jwt (decode without verification)
use Firebase\JWT\JWT;
$parts = explode('.', $token);
$header = json_decode(JWT::urlsafeB64Decode($parts[0]));
$payload = json_decode(JWT::urlsafeB64Decode($parts[1]));

// With verification (recommended for production)
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
try {
    $decoded = JWT::decode($token, new Key($secret, 'HS256'));
    // Token is valid and verified
} catch (Exception $e) {
    // Token invalid or expired
}

// Browser or Node.js: Decode without verification
function decodeJWT(token) {
    const parts = token.split('.');
    const header = JSON.parse(atob(parts[0]));
    const payload = JSON.parse(atob(parts[1]));
    return { header, payload };
}

// Using jsonwebtoken library (Node.js)
const jwt = require('jsonwebtoken');
const decoded = jwt.decode(token); // No verification

// With verification (recommended)
try {
    const verified = jwt.verify(token, secret);
    // Token is valid
} catch (err) {
    // Token invalid or expired
}

import jwt
import json
import base64

# Decode without verification
def decode_jwt(token):
    parts = token.split('.')
    header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
    payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
    return header, payload

# Using PyJWT (decode without verification)
decoded = jwt.decode(token, options={"verify_signature": False})

# With verification (recommended)
try:
    verified = jwt.decode(token, secret, algorithms=["HS256"])
    # Token is valid
except jwt.ExpiredSignatureError:
    # Token expired
except jwt.InvalidTokenError:
    # Token invalid

import (
    "encoding/base64"
    "encoding/json"
    "strings"
)

// Decode without verification
func decodeJWT(token string) (map[string]interface{}, error) {
    parts := strings.Split(token, ".")
    payload, _ := base64.RawURLEncoding.DecodeString(parts[1])
    var claims map[string]interface{}
    json.Unmarshal(payload, &claims)
    return claims, nil
}

// Using golang-jwt/jwt with verification
import "github.com/golang-jwt/jwt/v5"
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    return []byte(secret), nil
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
    // Token verified and valid
}

// Using java-jwt (Auth0)
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

// Decode without verification
DecodedJWT jwt = JWT.decode(token);
String subject = jwt.getSubject();
Date expiresAt = jwt.getExpiresAt();

// With verification (recommended)
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.JWTVerifier;
try {
    Algorithm algorithm = Algorithm.HMAC256(secret);
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    // Token is valid
} catch (Exception e) {
    // Token invalid
}

require 'jwt'

# Decode without verification
decoded = JWT.decode(token, nil, false)
payload = decoded[0]
header = decoded[1]

# With verification (recommended)
begin
  decoded = JWT.decode(token, secret, true, { algorithm: 'HS256' })
  payload = decoded[0]
  # Token is valid
rescue JWT::ExpiredSignature
  # Token expired
rescue JWT::DecodeError
  # Token invalid
end

using System.IdentityModel.Tokens.Jwt;

// Decode without verification
var handler = new JwtSecurityTokenHandler();
var jwtToken = handler.ReadJwtToken(token);
var claims = jwtToken.Claims;
var expiration = jwtToken.ValidTo;

// With verification (recommended)
using Microsoft.IdentityModel.Tokens;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(secret);
try {
    var principal = tokenHandler.ValidateToken(token,
        new TokenValidationParameters {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(key),
            ValidateIssuer = false,
            ValidateAudience = false
        }, out SecurityToken validatedToken);
    // Token is valid
} catch {
    // Token invalid
}

Related Tools

JWTs use Base64URL encoding. Use our Base64 Decoder to decode individual JWT parts if needed.

JWT payloads are JSON. After decoding, use our JSON Formatter to beautify the decoded JSON for easier reading.

Passing JWTs in URLs? Ensure they're URL-encoded with our URL Encoder to handle special characters safely.