使用即時處理和安全檢查驗證 JSON Web 權杖
專業工具
Paste any JWT and instantly see the decoded header, payload, and signature with color-coded display
Supports HMAC (HS256/384/512), RSA (RS256/384/512), ECDSA (ES256/384/512), and PSS algorithms
Automatically detects and displays token expiration status with time remaining or time since expiry
Displays all standard claims (iss, sub, aud, exp, iat) and custom claims with human-readable labels
Create new JWT tokens with custom headers, payloads, and secrets for testing and development
All token processing happens in your browser — your secrets and tokens are never sent to any server
常見問題
A JWT (JSON Web Token) is a compact token format used for authentication. It has three Base64URL-encoded parts separated by dots: the header (algorithm and type), the payload (claims like user ID and expiration), and the signature (cryptographic proof the token hasn't been tampered with).
Yes. All decoding happens locally in your browser — no data is sent to any server. However, remember that JWT payloads are only Base64-encoded, not encrypted. Anyone with the token can read the payload, so never put secrets in JWT claims.
HS256 uses a shared secret key (symmetric) — both the creator and verifier need the same secret. RS256 uses a public/private key pair (asymmetric) — the creator signs with a private key and anyone can verify with the public key. Use RS256 for public APIs.
Paste the token and our tool automatically reads the 'exp' claim and compares it to the current time. It shows whether the token is valid, expired, or has no expiration set, along with the exact time remaining or elapsed.
Yes. Enter a custom header and payload, provide a secret, and the tool generates a signed JWT. This is useful for testing API authentication locally, creating mock tokens for development, and learning how JWT signing works.
JWT payloads are Base64-encoded, not encrypted — anyone with the token can decode and read the contents. Store only non-sensitive identifiers (user ID, roles, expiration) in JWTs. Keep sensitive data server-side and reference it by ID.
獲取JWT最佳實踐、API安全、認證模式和現代授權技術的專業見解。