Frequently asked questions

Does my token get sent to a server?

No. The whole decode happens in your browser with no network call, so the token never leaves the tab. That matters because a JWT is a bearer credential: anyone who has it can act as you until it expires. Pasting a live token into a site that decodes it server-side hands that site your session.

Does this verify the signature?

No, and it never asks for your secret or key. Verifying a JWT means recomputing the signature with the signing key, which only the issuer and the verifier should hold. This tool reads the header and payload, which are just base64url-encoded JSON, so a decoded token tells you what it claims, not whether the claims are trustworthy.

What is iat, nbf, and exp?

Three timestamp claims from RFC 7519, each a NumericDate counted in seconds since the Unix epoch. iat is when the token was issued, nbf is the earliest moment it should be accepted, and exp is when it expires. The decoder converts all three to normal dates and tells you whether the token is currently inside its valid window.

Why is a base64url payload not encryption?

Because base64url is an encoding, not a cipher. There is no key, so anyone can reverse it. A standard JWT is signed, not encrypted, which means the payload is fully readable by whoever holds the token. Never put a secret in a JWT payload expecting it to stay hidden.

What does alg none mean?

It means the token claims to need no signature at all. Historically some libraries would accept an alg none token as valid, letting an attacker strip the signature and forge claims. A real verifier should reject none unless it was explicitly chosen for an unsigned context, so the decoder flags it when it sees it.

Does it track me or use cookies?

No. No ads, no analytics, no third-party scripts. Everything runs in your browser and nothing is sent anywhere.