Does this verify the JWT signature?

No. Verifying a signature requires the secret or public key, which should never be pasted into a web tool. This tool decodes the structure and checks claims, but a green result is not proof the signature is valid.

Why is alg none dangerous?

An alg value of none means the token is unsigned. If a server accepts it, an attacker can forge any payload. The tool flags it because production verifiers must reject the none algorithm outright.

How is expiry checked?

The exp claim is a Unix timestamp in seconds. The tool compares it to the current time and reports whether the token is still valid, already expired, or not yet valid based on the nbf (not-before) claim.

Is my token sent to a server?

No. The entire decode happens in your browser with base64url and JSON parsing. Nothing about the token is transmitted, which matters because JWTs often carry sensitive session data.

What do iss and aud do?

iss identifies the issuer and aud identifies the intended audience. Verifiers should check both so a token minted for one service cannot be replayed against another. The tool warns when either is missing.

JWT Decoder & Structure Verifier

A JSON Web Token (JWT) is a compact, URL-safe token made of three base64url-encoded segments — header, payload, and signature — separated by dots. This tool decodes the first two segments in your browser, formats them as readable JSON, checks time-based claims, and surfaces common security issues. Because tokens frequently carry session and identity data, nothing is ever sent to a server.

How it works

A JWT looks like header.payload.signature. The tool:

Splits the token on . and confirms there are three segments.
Base64url-decodes the header and payload (converting -/_ back to +// and restoring padding), then JSON.parses each.
Reads time claims: exp (expiry) and nbf (not before), both Unix seconds, and compares them to the current time.
Runs security heuristics: alg: none (unsigned), suspiciously short tokens, and missing iss or aud claims.

The signature segment is shown verbatim but never validated, because real verification needs the signing key — which should never be pasted into any web page.

Tips and notes

A decoded payload is readable by anyone who has the token, so never put secrets in JWT claims; treat the whole token as sensitive.
Always verify the signature server-side with the expected algorithm allow-list. Reject none and reject unexpected algorithms even if they decode cleanly.
An expired token here may still be accepted elsewhere if a server has clock skew tolerance; the exp check is informational.
Short-lived access tokens plus refresh tokens are safer than long expiries — if you see an exp far in the future, that is a smell worth flagging.