Documentation
How to use this tool, practical use cases, and technical notes.
The JWT Token Decoder & Analyzer is designed for speed — decoding a token takes under 30 seconds from paste to result. Here is a complete walkthrough of every feature and how to get the most out of the tool.
Step 1 — Obtain a JWT to Analyze
JWTs appear in many places during development and testing. Common sources:
Where to Find JWTs | How to Extract |
|---|---|
Browser DevTools → Application → Cookies | Copy the token value from the cookie named |
Browser DevTools → Application → Local Storage | Look for |
Browser DevTools → Network → Request Headers | Filter by XHR/Fetch; look for |
Browser DevTools → Network → Response Body | Look in |
Postman / Insomnia | Copy from the Authorization tab or response body |
Mobile app proxy (Burp Suite / mitmproxy) | Intercept traffic and copy from Authorization header |
| Parse with |
JWT issued by your auth server during testing | Copy from your test client output |
Step 2 — Use the Auto-Detect from Clipboard Feature
Click "Auto-detect from Clipboard" to automatically paste and detect a JWT from your clipboard without manually using Ctrl+V. This is particularly handy during rapid testing sessions where you're copying tokens from multiple browser tabs or terminal windows.
The tool validates that the pasted string matches the JWT three-part dot-separated structure before attempting to decode. If the input is not recognized as a valid JWT format, it will display a format error rather than attempting a decode.
Step 3 — Choose Your Mode
The toolbar provides five operational tabs. Select the appropriate mode for your task:
Tab | When to Use It |
|---|---|
Decode | Default — use for inspecting any JWT you encounter |
Encode | When building a custom token for testing or demonstration |
Verify | When you want a focused validity/expiry check |
Compare | When analyzing token differences (e.g., before and after privilege escalation, or across environments) |
Extract | When you need just one or two specific fields from a token quickly |
Step 4 — Decode the Token
Paste your JWT into the input field and click "Decode JWT". The tool will display:
Header Section
{
"alg": "HS256",
"typ": "JWT"
}Payload Section
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 9999999999
}Signature Section
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
[Signature present — verify with secret key to confirm integrity]Step 5 — Interpret the Results
Reading Standard Claims
The JWT specification (RFC 7519) defines seven registered claims — standardized fields with specific meanings:
Claim | Full Name | Data Type | Description | What to Check |
|---|---|---|---|---|
| Issuer | String (URI) | Who issued the token | Should match your trusted auth server |
| Subject | String | Who the token is about (user ID) | Should be the authenticated user's unique identifier |
| Audience | String or Array | Who the token is intended for | Should match your API/service identifier |
| Expiration Time | Unix timestamp | When the token expires | Must be in the future; tool flags expired tokens |
| Issued At | Unix timestamp | When the token was created | Useful for calculating token age |
| Not Before | Unix timestamp | Token not valid before this time | Should be ≤ current time |
| JWT ID | String | Unique identifier for the token | Used to prevent token replay attacks |
Reading the Token Status Indicator
Status | Meaning | Action |
|---|---|---|
✅ Valid | Correct format; | Token is usable |
⚠️ Expired |
| Re-authenticate to obtain a new token |
❌ Invalid | Malformed structure or unparseable JSON in header/payload | Token is corrupted or truncated |
🔴 Security Warning | Dangerous algorithm or sensitive data detected | Review security notes; do not use in production |
Step 6 — Use the Built-In Quick Examples
The tool ships with 8 pre-loaded example tokens that demonstrate the full range of JWT scenarios. Click any example to instantly load it into the decoder:
Example | Algorithm | What It Demonstrates |
|---|---|---|
HS256 Token | HS256 | Standard symmetric signing; basic claims |
Token with Expiration | HS256 | Non-expired token; |
RS256 Token (Example) | RS256 | Asymmetric signing header structure |
ES256 Token (Example) | ES256 | Elliptic curve signing; |
Expired Token | HS256 |
|
Token with All Claims | HS256 | Full RFC 7519 claim set including |
Token with Sensitive Data (Warning) | HS256 | Password and API key embedded in payload — demonstrates what NOT to do |
Token with None Algorithm (Critical) | none | Critical vulnerability example: unsigned token |
Step 7 — Compare Two Tokens
Use the Compare tab to paste two JWTs side by side. This is invaluable in scenarios like:
Comparing a regular user token vs. an admin token to understand privilege differences
Checking what changed between a token issued before and after a permission change
Identifying environment-specific differences (staging vs. production token claims)
Bug reports where two users have different access — compare their tokens to find claim discrepancies
Step 8 — Copy Results
Use the copy buttons within each section (Header, Payload, Signature, or full decoded output) to extract the information you need for:
Pasting into a bug report or security finding
Documenting a token structure in a penetration test report
Sharing with a colleague for debugging
Saving to a ticket or wiki page
Step 9 — Review History
The Results History panel at the bottom of the workspace tracks all tokens decoded during your session. This is useful when iterating through multiple tokens during a debugging session or security assessment — you can revisit a previous decode without re-pasting.
Note: History is session-only. It clears when you close or refresh the tab.
The JWT Token Decoder & Analyzer is designed for speed — decoding a token takes under 30 seconds from paste to result. Here is a complete walkthrough of every feature and how to get the most out of the tool.
Step 1 — Obtain a JWT to Analyze
JWTs appear in many places during development and testing. Common sources:
Where to Find JWTs | How to Extract |
|---|---|
Browser DevTools → Application → Cookies | Copy the token value from the cookie named |
Browser DevTools → Application → Local Storage | Look for |
Browser DevTools → Network → Request Headers | Filter by XHR/Fetch; look for |
Browser DevTools → Network → Response Body | Look in |
Postman / Insomnia | Copy from the Authorization tab or response body |
Mobile app proxy (Burp Suite / mitmproxy) | Intercept traffic and copy from Authorization header |
| Parse with |
JWT issued by your auth server during testing | Copy from your test client output |
Step 2 — Use the Auto-Detect from Clipboard Feature
Click "Auto-detect from Clipboard" to automatically paste and detect a JWT from your clipboard without manually using Ctrl+V. This is particularly handy during rapid testing sessions where you're copying tokens from multiple browser tabs or terminal windows.
The tool validates that the pasted string matches the JWT three-part dot-separated structure before attempting to decode. If the input is not recognized as a valid JWT format, it will display a format error rather than attempting a decode.
Step 3 — Choose Your Mode
The toolbar provides five operational tabs. Select the appropriate mode for your task:
Tab | When to Use It |
|---|---|
Decode | Default — use for inspecting any JWT you encounter |
Encode | When building a custom token for testing or demonstration |
Verify | When you want a focused validity/expiry check |
Compare | When analyzing token differences (e.g., before and after privilege escalation, or across environments) |
Extract | When you need just one or two specific fields from a token quickly |
Step 4 — Decode the Token
Paste your JWT into the input field and click "Decode JWT". The tool will display:
Header Section
{
"alg": "HS256",
"typ": "JWT"
}Payload Section
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022,
"exp": 9999999999
}Signature Section
SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
[Signature present — verify with secret key to confirm integrity]Step 5 — Interpret the Results
Reading Standard Claims
The JWT specification (RFC 7519) defines seven registered claims — standardized fields with specific meanings:
Claim | Full Name | Data Type | Description | What to Check |
|---|---|---|---|---|
| Issuer | String (URI) | Who issued the token | Should match your trusted auth server |
| Subject | String | Who the token is about (user ID) | Should be the authenticated user's unique identifier |
| Audience | String or Array | Who the token is intended for | Should match your API/service identifier |
| Expiration Time | Unix timestamp | When the token expires | Must be in the future; tool flags expired tokens |
| Issued At | Unix timestamp | When the token was created | Useful for calculating token age |
| Not Before | Unix timestamp | Token not valid before this time | Should be ≤ current time |
| JWT ID | String | Unique identifier for the token | Used to prevent token replay attacks |
Reading the Token Status Indicator
Status | Meaning | Action |
|---|---|---|
✅ Valid | Correct format; | Token is usable |
⚠️ Expired |
| Re-authenticate to obtain a new token |
❌ Invalid | Malformed structure or unparseable JSON in header/payload | Token is corrupted or truncated |
🔴 Security Warning | Dangerous algorithm or sensitive data detected | Review security notes; do not use in production |
Step 6 — Use the Built-In Quick Examples
The tool ships with 8 pre-loaded example tokens that demonstrate the full range of JWT scenarios. Click any example to instantly load it into the decoder:
Example | Algorithm | What It Demonstrates |
|---|---|---|
HS256 Token | HS256 | Standard symmetric signing; basic claims |
Token with Expiration | HS256 | Non-expired token; |
RS256 Token (Example) | RS256 | Asymmetric signing header structure |
ES256 Token (Example) | ES256 | Elliptic curve signing; |
Expired Token | HS256 |
|
Token with All Claims | HS256 | Full RFC 7519 claim set including |
Token with Sensitive Data (Warning) | HS256 | Password and API key embedded in payload — demonstrates what NOT to do |
Token with None Algorithm (Critical) | none | Critical vulnerability example: unsigned token |
Step 7 — Compare Two Tokens
Use the Compare tab to paste two JWTs side by side. This is invaluable in scenarios like:
Comparing a regular user token vs. an admin token to understand privilege differences
Checking what changed between a token issued before and after a permission change
Identifying environment-specific differences (staging vs. production token claims)
Bug reports where two users have different access — compare their tokens to find claim discrepancies
Step 8 — Copy Results
Use the copy buttons within each section (Header, Payload, Signature, or full decoded output) to extract the information you need for:
Pasting into a bug report or security finding
Documenting a token structure in a penetration test report
Sharing with a colleague for debugging
Saving to a ticket or wiki page
Step 9 — Review History
The Results History panel at the bottom of the workspace tracks all tokens decoded during your session. This is useful when iterating through multiple tokens during a debugging session or security assessment — you can revisit a previous decode without re-pasting.
Note: History is session-only. It clears when you close or refresh the tab.