Security

JWT Decoder

Paste a JSON Web Token (JWS: header.payload.signature) to decode the header and payload as JSON. The script parses base64url segments in your browser; signature verification is not performed — treat decoded claims as untrusted until your API validates the token. Nothing is uploaded to DroidXP — same local-only model as our APK Analyzer and APK String Extractor.

Ad placement — top banner
Not verified. This page only decodes Base64url — it does not check cryptographic signatures. Anyone can forge claims if you skip server-side validation.

Leading Bearer is stripped. JWS tokens use three segments (JWE uses five — not supported here).

Ad placement — mid rectangle

What this JWT decoder does

It splits a JWS compact serialization on . into three parts, Base64url-decodes the first two, and pretty-prints them as JSON. Common time claims (iat, nbf, exp, auth_time) are shown in a readable timeline when present as numeric Unix seconds. The third segment (signature) is shown as text with its decoded byte length — no cryptographic verification is attempted.

Why “not verified” matters

Decoding only reverses Base64url + JSON — it does not prove who issued the token or that it was not tampered with. Always validate the signature (and audience, issuer, expiry, etc.) in your trusted backend or authorization library before trusting claims.

Privacy

The token never leaves your browser tab for this tool. DroidXP does not receive your JWT. Be careful pasting production tokens into any website — treat this like sharing a session hint; prefer redacted samples in tickets.

How to use this tool

  1. Step 1: Paste the raw JWT (optional Bearer prefix is OK).
  2. Step 2: Read the header and payload JSON, and the time claims section if applicable.
  3. Step 3: Use Copy full report for documentation — remember verification still happens only on the server.

Frequently Asked Questions

Does DroidXP upload my JWT?

No. Parsing runs entirely in your browser. The token is not sent to DroidXP servers for this tool.

Does this verify the signature?

No. Signature verification needs the issuer’s public key material and crypto routines — this page only decodes segments for inspection. Use your framework or IdP libraries to verify in a trusted environment.

What about “alg: none” or weak algorithms?

The decoder shows whatever appears in the header. alg: none and algorithm confusion are real attack classes — your server must enforce allowed algorithms and reject unsafe tokens.

Why won’t my five-part token decode?

That is usually a JWE (encrypted JWT) with five segments. This tool targets standard JWS (three segments). Decrypting JWE requires keys and is out of scope here.

Can I paste a Bearer token from DevTools?

Yes — leading Bearer (case-insensitive) is stripped automatically. Ensure you do not leak live session tokens in screenshots or public chats.

How are exp / iat interpreted?

Numeric values are treated as Unix seconds in UTC. Strings or non-standard formats may not appear in the timeline — read the raw JSON in the payload.

Is the clipboard safe?

Clipboard managers and other apps may read clipboard data. Clear the field when done on shared machines, especially for access tokens.

Does this support nested JWTs?

If a claim contains an embedded JWT string, it is shown as plain JSON only — decode nested tokens in a second pass manually if needed.

How is this different from the Hash Generator?

The Hash Generator computes digests of arbitrary bytes. This tool inspects structured token strings — different purpose.

Can I use this for compliance or audits?

Use it as a debugging aid only. Production security decisions require validated libraries, key management, and processes — not a browser decoder page.

What if JSON parsing fails?

The header and payload must be JSON objects after decoding. Malformed tokens, wrong encoding, or truncated paste will show an error — check for line breaks or missing characters.

Ad placement — sidebar 300×600