JWT Decoder|JWT 解析工具

JWT 解析工具 | JWT Decoder

JWT 解析工具 JWT Decoder

粘贴 JWT(形如 header.payload.signature),一键解析 Header / Payload,快速查看 exp / iat / nbf 等字段。
Paste a JWT (format header.payload.signature) to decode header & payload and inspect claims like exp / iat / nbf.

1. 输入 JWT · Input
已开启:输入停止后自动解析(约 350ms)。Auto decode after typing stops (~350ms).
提示 · Tip:
JWT 通常由三段组成:Header、Payload、Signature,用点号 . 分隔。
A typical JWT has three parts: Header, Payload, Signature, separated by dots.

注意 · Note:
本工具只做“解码与可读展示”,不会验证签名,也无法判断 token 是否可信。
This tool only decodes and displays data. It does NOT verify signatures or trustworthiness.
3. 使用说明 · Notes
  • JWT 是什么?· What is a JWT?
    JWT(JSON Web Token)是一种把“声明信息(claims)”打包进字符串的方式,常用于登录态、接口鉴权、跨服务认证等场景。它的典型结构是三段:Header.Payload.Signature
    JWT is a compact token format that carries claims (JSON data) and is widely used for authentication/authorization. A typical JWT contains three parts: Header.Payload.Signature.
  • Header / Payload 各是什么?· What are Header and Payload?
    Header: 通常包含算法(alg)、类型(typ)等元信息;
    Payload: 包含真正的业务数据/声明(如 subrolepermissions)以及时间字段(exp 等)。
    Header contains metadata like the signing algorithm (alg) and token type (typ). Payload contains actual claims (identity, roles, permissions) and time-related fields (like exp).
  • exp / iat / nbf 怎么看?· How to read exp / iat / nbf?
    iat(Issued At)= 签发时间;nbf(Not Before)= 生效时间;exp(Expiration Time)= 过期时间。它们一般是 Unix 时间戳(秒)。
    The values are typically Unix timestamps in seconds. This tool converts them to readable date/time in both local time and UTC for quick checks.
  • 为什么“能解码”不等于“可信”?· Decode ≠ Trust
    任何人都可以把 JSON 用 Base64URL 编码成 JWT 的前两段,所以“能看到内容”不代表这个 token 真的有效。真正决定可信性的,是第三段签名(Signature)是否能用服务端密钥验证通过。
    Anyone can base64url-encode JSON into the first two parts. Trust comes from signature verification, which requires the secret/public key—this tool does not perform that verification.
  • 常见排错场景 · Common debugging scenarios
    ✅ 接口返回 401/403:先看 exp 是否已过期;再看 aud/iss 是否符合服务端要求;再看 scope/role 是否缺失。
    ✅ 时间对不上:检查服务端/客户端时区和系统时间是否准确;也要注意有些系统用毫秒(ms)而非秒(s)。
    ✅ 结构不对:确认 token 中点号数量是否为 2(三段),并确保没有把 Bearer 前缀一起粘贴进来。
    For 401/403, check expiration and audience/issuer, then roles/scopes. If timestamps look wrong, verify whether values are in seconds vs milliseconds and check system time/timezone. Ensure the token has exactly two dots (three parts) and remove any “Bearer ” prefix.

免责声明:本工具用于开发调试与学习用途,仅做解析展示,不提供任何安全保证或鉴权结论。
Disclaimer: For debugging/learning only. This tool only decodes and displays data and does not provide security guarantees or authorization decisions.