Декодер JWT

Декодирование и проверка JSON Web Tokens (JWT). Просмотр заголовка, полезной нагрузки и подписи.

Входной текст:

0 символов

Вывод:

Что такое декодер JWT?

Декодер JWT (JSON Web Token) — это инструмент, который декодирует и отображает содержимое JWT-токенов. JWT обычно используются для аутентификации и обмена информацией в веб-приложениях. Этот инструмент помогает вам проверять содержимое JWT без проверки подписи.

Essential Uses of JWT Decoding

Debugging Authentication Issues: When authentication fails or behaves unexpectedly, decode the JWT to see what claims it contains. Check if user ID (sub) is correct, if roles/permissions are present, if expiration (exp) has passed, or if custom claims match expectations. For example, if a user reports "access denied," decode their JWT to verify their roles claim contains the required permission. This instantly reveals whether the issue is token generation (missing claims) or authorization logic (incorrect permission checks).
API Development and Testing: When building or testing APIs that use JWT authentication, decode tokens to verify the API is generating correct JWTs. Check that claims are formatted properly, expiration times are reasonable, and custom claims (user metadata, permissions) are included. Tools like Postman and Insomnia show JWTs in requests. Decoding them helps you understand what the API is actually sending and receiving.
seo.jwt_decoder.use_security seo.jwt_decoder.use_security_desc
Token Expiration Checking: JWTs contain an exp (expiration) claim as a Unix timestamp. Decode a token to check when it expires. Convert the timestamp to human-readable date/time to see if the token is still valid or has expired. This is crucial when debugging "token expired" errors. Decode the token, check the exp claim, compare to current time. Many authentication issues are simply expired tokens.

Как использовать этот декодер JWT

seo.jwt_decoder.how_desc

Вставьте ваш JWT-токен в поле ввода выше.
Нажмите кнопку "Декодировать JWT".
Просмотрите декодированный заголовок, полезную нагрузку и подпись в поле вывода.
Используйте кнопку "Копировать результат", чтобы скопировать декодированное содержимое.

seo.jwt_decoder.how_example

JWT: The Modern Authentication Standard

JSON Web Tokens (JWT) определены в RFC 7519 (2015). JWT предоставляют компактный, URL-безопасный способ представления утверждений между двумя сторонами. Они состоят из трёх частей, закодированных в Base64URL: заголовок, полезная нагрузка и подпись. JWT широко используются в современных веб-приложениях и API для аутентификации и авторизации.

Важное замечание о безопасности

Decoding a JWT shows its contents but does not verify its authenticity. Always verify JWT signatures on the server before trusting the payload data. Learn about encoding security

Декодирование JWT в языках программирования

Большинство языков имеют библиотеки JWT для декодирования и проверки токенов. Вот примеры (только декодирование, без проверки):

// Using firebase/php-jwt (decode without verification)
use Firebase\JWT\JWT;
$parts = explode('.', $token);
$header = json_decode(JWT::urlsafeB64Decode($parts[0]));
$payload = json_decode(JWT::urlsafeB64Decode($parts[1]));

// With verification (recommended for production)
use Firebase\JWT\JWT;
use Firebase\JWT\Key;
try {
    $decoded = JWT::decode($token, new Key($secret, 'HS256'));
    // Token is valid and verified
} catch (Exception $e) {
    // Token invalid or expired
}

// Browser or Node.js: Decode without verification
function decodeJWT(token) {
    const parts = token.split('.');
    const header = JSON.parse(atob(parts[0]));
    const payload = JSON.parse(atob(parts[1]));
    return { header, payload };
}

// Using jsonwebtoken library (Node.js)
const jwt = require('jsonwebtoken');
const decoded = jwt.decode(token); // No verification

// With verification (recommended)
try {
    const verified = jwt.verify(token, secret);
    // Token is valid
} catch (err) {
    // Token invalid or expired
}

import jwt
import json
import base64

# Decode without verification
def decode_jwt(token):
    parts = token.split('.')
    header = json.loads(base64.urlsafe_b64decode(parts[0] + '=='))
    payload = json.loads(base64.urlsafe_b64decode(parts[1] + '=='))
    return header, payload

# Using PyJWT (decode without verification)
decoded = jwt.decode(token, options={"verify_signature": False})

# With verification (recommended)
try:
    verified = jwt.decode(token, secret, algorithms=["HS256"])
    # Token is valid
except jwt.ExpiredSignatureError:
    # Token expired
except jwt.InvalidTokenError:
    # Token invalid

import (
    "encoding/base64"
    "encoding/json"
    "strings"
)

// Decode without verification
func decodeJWT(token string) (map[string]interface{}, error) {
    parts := strings.Split(token, ".")
    payload, _ := base64.RawURLEncoding.DecodeString(parts[1])
    var claims map[string]interface{}
    json.Unmarshal(payload, &claims)
    return claims, nil
}

// Using golang-jwt/jwt with verification
import "github.com/golang-jwt/jwt/v5"
token, err := jwt.Parse(tokenString, func(token *jwt.Token) (interface{}, error) {
    return []byte(secret), nil
})
if claims, ok := token.Claims.(jwt.MapClaims); ok && token.Valid {
    // Token verified and valid
}

// Using java-jwt (Auth0)
import com.auth0.jwt.JWT;
import com.auth0.jwt.interfaces.DecodedJWT;

// Decode without verification
DecodedJWT jwt = JWT.decode(token);
String subject = jwt.getSubject();
Date expiresAt = jwt.getExpiresAt();

// With verification (recommended)
import com.auth0.jwt.algorithms.Algorithm;
import com.auth0.jwt.JWTVerifier;
try {
    Algorithm algorithm = Algorithm.HMAC256(secret);
    JWTVerifier verifier = JWT.require(algorithm).build();
    DecodedJWT jwt = verifier.verify(token);
    // Token is valid
} catch (Exception e) {
    // Token invalid
}

require 'jwt'

# Decode without verification
decoded = JWT.decode(token, nil, false)
payload = decoded[0]
header = decoded[1]

# With verification (recommended)
begin
  decoded = JWT.decode(token, secret, true, { algorithm: 'HS256' })
  payload = decoded[0]
  # Token is valid
rescue JWT::ExpiredSignature
  # Token expired
rescue JWT::DecodeError
  # Token invalid
end

using System.IdentityModel.Tokens.Jwt;

// Decode without verification
var handler = new JwtSecurityTokenHandler();
var jwtToken = handler.ReadJwtToken(token);
var claims = jwtToken.Claims;
var expiration = jwtToken.ValidTo;

// With verification (recommended)
using Microsoft.IdentityModel.Tokens;
var tokenHandler = new JwtSecurityTokenHandler();
var key = Encoding.ASCII.GetBytes(secret);
try {
    var principal = tokenHandler.ValidateToken(token,
        new TokenValidationParameters {
            ValidateIssuerSigningKey = true,
            IssuerSigningKey = new SymmetricSecurityKey(key),
            ValidateIssuer = false,
            ValidateAudience = false
        }, out SecurityToken validatedToken);
    // Token is valid
} catch {
    // Token invalid
}

Related Tools

JWTs use Base64URL encoding. Use our Base64 Decoder to decode individual JWT parts if needed.

JWT payloads are JSON. After decoding, use our JSON Formatter to beautify the decoded JSON for easier reading.

Passing JWTs in URLs? Ensure they're URL-encoded with our URL Encoder to handle special characters safely.