JWT 解析工具 JWT Decoder
粘贴 JWT(形如 header.payload.signature),一键解析 Header / Payload,快速查看 exp / iat / nbf 等字段。
Paste a JWT (format header.payload.signature) to decode header & payload and inspect claims like exp / iat / nbf.
1. 输入 JWT · Input
3. 使用说明 · Notes
-
JWT 是什么?· What is a JWT?
JWT(JSON Web Token)是一种把“声明信息(claims)”打包进字符串的方式,常用于登录态、接口鉴权、跨服务认证等场景。它的典型结构是三段:Header.Payload.Signature。
JWT is a compact token format that carries claims (JSON data) and is widely used for authentication/authorization. A typical JWT contains three parts: Header.Payload.Signature. -
Header / Payload 各是什么?· What are Header and Payload?
Header: 通常包含算法(alg)、类型(typ)等元信息;
Payload: 包含真正的业务数据/声明(如 sub、role、permissions)以及时间字段(exp 等)。
Header contains metadata like the signing algorithm (alg) and token type (typ). Payload contains actual claims (identity, roles, permissions) and time-related fields (like exp). -
exp / iat / nbf 怎么看?· How to read exp / iat / nbf?
iat(Issued At)= 签发时间;nbf(Not Before)= 生效时间;exp(Expiration Time)= 过期时间。它们一般是 Unix 时间戳(秒)。
The values are typically Unix timestamps in seconds. This tool converts them to readable date/time in both local time and UTC for quick checks. -
为什么“能解码”不等于“可信”?· Decode ≠ Trust
任何人都可以把 JSON 用 Base64URL 编码成 JWT 的前两段,所以“能看到内容”不代表这个 token 真的有效。真正决定可信性的,是第三段签名(Signature)是否能用服务端密钥验证通过。
Anyone can base64url-encode JSON into the first two parts. Trust comes from signature verification, which requires the secret/public key—this tool does not perform that verification. -
常见排错场景 · Common debugging scenarios
✅ 接口返回 401/403:先看 exp 是否已过期;再看 aud/iss 是否符合服务端要求;再看 scope/role 是否缺失。
✅ 时间对不上:检查服务端/客户端时区和系统时间是否准确;也要注意有些系统用毫秒(ms)而非秒(s)。
✅ 结构不对:确认 token 中点号数量是否为 2(三段),并确保没有把 Bearer 前缀一起粘贴进来。
For 401/403, check expiration and audience/issuer, then roles/scopes. If timestamps look wrong, verify whether values are in seconds vs milliseconds and check system time/timezone. Ensure the token has exactly two dots (three parts) and remove any “Bearer ” prefix.
免责声明:本工具用于开发调试与学习用途,仅做解析展示,不提供任何安全保证或鉴权结论。
Disclaimer: For debugging/learning only. This tool only decodes and displays data and does not provide security guarantees or authorization decisions.
