JWT Decoder & Debugger

Decode and inspect JWT tokens in real time. Flags security issues like alg:none, expired tokens, and missing claims. Runs 100% in your browser — nothing is sent to our servers.

Decoded instantly as you type. No data leaves your browser.

What This Tool Checks

Algorithm (alg)

Detects dangerous algorithms including alg:none (no signature), weak HMAC, and algorithm confusion vulnerabilities.

Expiration (exp)

Flags expired tokens and tokens with excessively long lifetimes (30+ days) that increase the theft risk window.

Missing Claims

Identifies missing iat, aud, iss, and nbf claims that are required for proper token validation and security.

Timestamp Analysis

Converts Unix timestamps to human-readable dates and flags tokens that are expired or not yet valid.

Privacy note: JWT decoding runs entirely in your browser using JavaScript. No token data is sent to our servers. This is safe for use with production tokens, but as a best practice, rotate tokens you paste into any online tool.

JWT Decoder Online — Free JWT Token Debugger | Glasswing Security