RestingOwl owl logo RestingOwl
Free Tool

JWT Decoder & Vulnerability Inspector

Paste a JSON Web Token to decode its header and payload, and get instant feedback on common security issues. Runs 100% in your browser, nothing is sent anywhere.

Paste a token above, or click "Load example" to see how it works.

How does a JWT work?

A JSON Web Token is three base64url-encoded parts joined by dots: header.payload.signature. The header names the signing algorithm, the payload carries claims such as the user ID and expiry, and the signature lets a server verify the token has not been tampered with. Anyone can decode the header and payload, only the signature requires a secret or private key.

What does this tool check for?

CheckWhy it matters
alg: noneIf a server accepts this, anyone can forge a valid-looking token.
Missing expA token with no expiry is valid forever once issued.
Very long lifetimeLong-lived access tokens are harder to revoke if they leak.
Missing iatHarder to reason about how old a token is.
Sensitive-looking fieldsJWT payloads are readable by anyone who has the token.
Privilege-related claimsClaims like admin or role must be set and re-checked server-side.

Can this tool verify a JWT signature?

No. Verifying a signature requires the secret key (HS256) or the public key (RS256, ES256), and this tool never asks for either. It only decodes the header and payload and runs the heuristic checks above. Always validate signatures and claims on your server using a maintained JWT library, not in the browser.

JWT Decoder FAQ

A JSON Web Token (JWT) is a compact, URL-safe string used to represent claims between two parties. It has three parts separated by dots: a header, a payload, and a signature. JWTs are commonly used for authentication and session tokens.
This decoder runs entirely in your browser using client-side JavaScript. Nothing you paste is sent to RestingOwl or any server. That said, treat tokens like passwords: if a token is still valid, anyone who has the raw value can use it, so avoid pasting tokens into tools you do not trust.
No. Verifying a signature requires the secret key (for HS256) or the public key (for RS256/ES256), which this tool never asks for. This tool only decodes the header and payload and runs heuristic checks on their contents.
The "alg" field in the header tells a server which algorithm to use to verify the signature. A value of "none" means no signature is required at all. If a server is misconfigured to accept this, anyone can edit the payload and produce a token the server will trust.
A JWT payload is base64url-encoded, not encrypted. Anyone who has the token, including the end user, a browser extension, or a proxy, can decode it and read every field. Keep secrets, passwords, and sensitive personal data out of the payload.
Copied!