Decodificador JWT
Decodifica tokens JWT (JSON Web Tokens) para inspeccionar su header y payload. No valida la firma.
Token JWT
⚠️ Advertencia de Seguridad
Este decodificador NO valida la firma del token. Solo decodifica el contenido. Nunca confíes en un token sin validar su firma en el servidor.
About this tool
The JWT (JSON Web Token) decoder is an essential tool for developers working with modern authentication and REST APIs. JWTs are compact, self-contained tokens used to transmit information securely between parties as JSON objects. This tool allows decoding and visualizing the header and payload content of a JWT, facilitating authentication system debugging, token inspection, and understanding of contained information. It's important to note that this tool does NOT validate the token signature, it only decodes the content. Signature validation must always be performed on the server using the corresponding secret or public key. The tool processes everything locally in your browser using the native atob() API for Base64 decoding, ensuring that sensitive tokens are never sent to external servers. It's especially useful for authentication flow debugging and claims analysis.
Use cases
- Inspect JWT token content during debugging
- Verify token claims and expiration for authentication
- Analyze third-party JWT token structure
- Understand token format and content in development
Frequently asked questions
- Why doesn't the decoder validate the token signature?
- Signature validation requires the issuer's secret or public key, which isn't available in the browser for security reasons. Validation must always be performed on the server.
- Is it safe to use this decoder with production tokens?
- The decoder is safe because it processes everything locally in your browser. However, never make authorization decisions based solely on decoded content without validating the signature on the server.
- What information can I see in the JWT header and payload?
- The header contains information about the signature algorithm and token type. The payload contains claims (data) like user ID, roles, expiration date (exp), and other metadata defined by the application.
- Can I modify the decoded token?
- You can view and copy the decoded content, but modifying it would require re-encoding and signing the token with the correct secret key, which isn't possible in the browser without the key.