PTBox

JWT Decoder & Inspector

JSON Web Token (JWT) decoder — splits a token into header, payload and signature, decodes & beautifies the JSON, and highlights time claims (iat / exp / nbf) as human-readable timestamps.

Usage

A JSON Web Token (JWT) is composed of Header.Payload.Signature, each Base64-URL encoded.

This tool splits and decodes the header and payload, and automatically converts iat / exp / nbf time claims to human-readable timestamps. It does not verify the signature — signature verification must happen on the server, otherwise anyone could forge a token.

Use cases

Inspecting login tokens

See what claims are inside your JWT (user_id, roles, tenant, etc.).

Debugging 401 / 403

Check whether exp has passed or the required role claim is missing.

Auditing token contents

Verify that no sensitive fields are leaking into the payload.

API integration

Confirm a generated token matches the receiver's expected schema.

FAQ

Does it verify the signature?

No. This tool only decodes — signature verification must happen on the server, otherwise anyone can forge tokens.

Is the payload encrypted?

No! JWT payload is only Base64-encoded — anyone can read it. Don't put secrets (passwords, full IDs) in the payload.

What is alg: none, and why is it dangerous?

An unsigned JWT. If the server accepts alg: none, attackers can forge arbitrary payloads — a classic JWT vulnerability.

What are iat / exp / nbf?

Issued-at / expiration / not-before, all Unix seconds. The tool converts them to readable timestamps automatically.

Related tools

Hash Calculator
RSA Crypto
AES File Encrypt
AES Crypto

Comments

0 / 1000