Monu Tools

JWT 解码器

解码 JSON Web Token 以查看其头部和载荷,并以可读形式显示过期和签发时间。完全在你的浏览器中运行;令牌永不上传。

如何使用 JWT 解码器

  1. 01

    粘贴一个形如 header.payload.signature 的 JWT。

  2. 02

    以格式化的 JSON 形式读取解码后的头部和载荷。

  3. 03

    查看过期和签发时间,以及令牌是否已过期。

What a JWT decoder shows you

A JSON Web Token has three parts separated by dots: a Base64URL-encoded header, a Base64URL-encoded payload, and a signature. This decoder splits and decodes the first two parts instantly in your browser, so you can read what a token actually contains.

The most common use is inspecting a token an API returned: who issued it (iss), when it expires (exp), what permissions it carries (scope or roles), and whether it has already expired.

How the decoding works

The tool takes the header and payload segments and decodes their Base64URL contents back into readable JSON. Nothing is sent anywhere: the split and decode happen locally the moment you paste a token.

Reading expiry and timestamps

The expiry is shown in readable local time, not a raw Unix timestamp, so you can see at a glance whether the token is still valid. The same applies to other time claims like iat and nbf, which become dates you can actually interpret.

Decoding is not verifying

This tool decodes and displays, it does not verify the signature against a secret key. Anyone can read a JWT payload without a key, because only the signature is protected, not the contents.

For signature verification you need the signing secret or public key, which should never be entered into a browser-based tool. Do not paste secrets here.

Privacy

The token never leaves your device. All decoding runs in your browser, so nothing you paste is uploaded or stored.

常见问题

它会验证签名吗?

不会。它解码并显示头部和载荷。验证签名需要签名密钥或公钥,而你不应将其粘贴到任何网页工具中。

解码和验证有何区别?

解码读取 Base64url 编码、未加密的头部和载荷。验证使用密钥重新计算签名,以证明令牌真实且未被篡改。

在这里粘贴我的令牌安全吗?

解码完全在你的浏览器中进行,因此令牌不会上传。不过,仍应将活动令牌视为机密,避免在共用电脑上粘贴。

exp、iat 和 nbf 是什么意思?

它们是标准声明:iat 是签发时间,nbf 是生效前时间,exp 是过期时间。解码器会将这些 Unix 时间戳转换为可读的本地时间。

可以解码已过期的令牌吗?

可以。过期不会改变令牌的解码方式,因此你可以查看已过期令牌的声明,并准确看到它何时失效。

为什么没有密钥也能读取我的载荷?

JWT 是签名的,而非加密的。载荷仅经 Base64url 编码,因此任何人都能读取。切勿在 JWT 载荷中放入机密。

来源

嵌入此工具

将此工具添加到你自己的网站。复制下方代码片段即可,它会自动保持最新。

<iframe src="https://monu.tools/embed/zh/jwt-decoder" width="100%" height="640" style="border:1px solid #e5e5e5;border-radius:12px;max-width:680px" loading="lazy" title="Monu Tools"></iframe>

相关工具