JWT 解码器 - 在线解码 JSON Web Token 并检查过期时间

粘贴任意 JSON Web Token,即可立即解码其头部和载荷、查看签名,并检查是否已过期。本地运行——你的令牌绝不会离开浏览器。

已编码的 JWT

Decode and verify entirely in your browser — nothing is uploaded.

文件在处理后自动删除通过 HTTPS 安全处理

Frequently Asked Questions

将编码后的 JWT(以 eyJ… 开头的长字符串)粘贴到输入框中。工具会按两个点将其分割,对头部和载荷进行 Base64URL 解码,并分别显示各自的 JSON 以及原始签名段——整个过程不发起任何网络请求。

usage

不会。解码器只解析令牌——它不会用密钥或公钥校验签名,因为验证需要签发方的密钥材料。生产环境的验证请使用服务端的 JWT 库;本工具仅用于查看和调试。

technical

你会获得头部(算法和密钥 id)、载荷声明(sub、iss、aud、iat、exp 以及任何自定义声明)和原始签名。标准的时间戳声明会被格式化为易读的日期,让你一眼就能发现过期的令牌。

features

如果载荷中包含标准的 "exp" 声明,工具会将其与当前时间进行比较,并显示「有效期至」或「令牌已于……过期」以及精确的时间戳。不含 exp 声明的令牌会被标注为永不过期。

features

任何人只要能读取 JWT 的载荷,便可在其过期前使用它,因此生产环境的令牌应只在私密工具中处理。本解码器完全在你的浏览器中运行,绝不会传输令牌,但更稳妥的做法是尽量只解码生命周期较短的开发令牌。

privacy

JWT 由三段以点分隔的 Base64URL 编码片段组成:头部(签名算法)、载荷(签发方希望验证方信任的声明)和签名(对 header.payload 计算的 MAC 或数字签名)。解码从不需要密钥——只有验证才需要。

technical

一种紧凑、URL 安全的令牌,由三段 Base64URL 组成——头部、负载和签名——携带经过签名的声明,例如用户 ID 和过期时间。它被广泛用于无状态登录会话和保护 API 请求。在上方粘贴一个令牌即可查看其头部和负载。

technical

在解码后的头部和载荷下方,将签名密钥(用于 HS256)或以 PEM 或 JWK 格式提供的签发者公钥(用于 RS256、ES256 等)粘贴到"验证签名"框中,然后点击"验证"。随后出现的徽章会告知签名是有效、无效,还是使用了浏览器端验证器不支持的算法——全部在本地计算,不会将令牌或密钥发送到任何地方。

features

For HMAC algorithms like HS256 you paste the raw shared secret string. For asymmetric algorithms like RS256, RS384 or ES256 you need the issuer's public key — never the private key — supplied as a PEM block or a JWK; pasting the wrong half of an asymmetric key pair will make verification fail even though the token is valid.

technical

The Verify signature panel supports every mainstream JOSE algorithm: HS256/384/512 (HMAC with a shared secret), RS256/384/512 (RSASSA-PKCS1-v1_5 with an RSA public key), PS256/384/512 (RSA-PSS with an RSA public key) and ES256/384/512 (ECDSA over the matching P-256/P-384/P-521 curve). Tokens signed with "none" or any algorithm outside this list are always reported as unsupported rather than marked valid, which also protects you from the classic alg=none forgery trick.

technical

The most common cause is pasting extra whitespace or a trailing newline into the secret box — the verifier hashes the exact bytes you enter, so a copy-paste artifact breaks the match. Also double-check you're verifying the current token: if the JWT was re-issued after you copied it, or the provider's secret is base64-encoded rather than a raw string, decode it first before pasting it in.

tips

Click Try sample JWT to load a demo HS256 token with sub, name, iat and exp claims so you can see decoding and expiry checking work before pasting your own token. Once a token is in the box, a Clear button appears next to it that wipes the input back to empty in one click.

usage

Each of the Header, Payload and Signature panels has its own Copy button in its top-right corner that copies only that section's JSON (or the raw signature string) to your clipboard. There's also a primary Copy Payload button below the panels for the most common case of grabbing just the claims to paste into a debugger or bug report.

features

How JWT Decoder helps you get it done

Real problems it solves every day — for businesses, creators, and everyday tasks. Find the use case that fits you and start in seconds.

For Developers

调试 OAuth 与 OpenID Connect 流程

在本地 OAuth 集成工作中,解码 Auth0、Okta、Cognito 和 Azure AD 返回的访问令牌和 ID 令牌,以验证作用域、受众和签发者

For Developers

检查 API 调用中的 Authorization 请求头

在向后端团队提交工单之前,粘贴失败 API 请求中的 bearer 令牌,确认问题是否出在错误的租户、角色或过期时间上

For Developers

在开发过程中检查 Token 是否过期

通过读取 exp 声明,发现那些悄悄破坏你测试环境的过期令牌——无需把令牌复制到终端或临时写一段脚本

For Business

审计令牌声明中编码的权限

验证角色、租户和功能开关等自定义声明,让管理员能够确认某位客户的令牌所授予的权限与授权团队的预期完全一致

For Business

验证单点登录集成

检查企业 SSO 集成生成的 SAML 和 OIDC 令牌,在向全体员工推广前确认用户组归属和属性映射

Education

讲解基于令牌的身份验证

借助解码后的头部、载荷和签名面板,向训练营学员、初级工程师和安全研讨会参与者讲解 JWT 的结构

For Developers

Confirm a Partner's Webhook Signing Setup

Paste a partner's RS256 or ES256 public key into Verify signature to confirm their webhook payloads are actually signed correctly before you flip an integration into production.

Privacy & Security

Investigate a Leaked or Suspicious Token

Decode a token found in logs or a bug report to check its audience, scopes and expiry without needing the signing key, so you can assess exposure fast during an incident.

On Mobile

Debug Mobile App Sign-In Failures

Paste the access token your mobile app receives after login to confirm the expiry, issuer and custom claims match what the backend expects when sign-in works on web but fails on iOS or Android.

For Business

Validate Tokens from Firebase, Supabase & Clerk

Decode and inspect tokens issued by modern auth providers like Firebase, Supabase and Clerk to confirm the claims your app reads (uid, role, tenant) are actually present before wiring up authorization logic.