Example
Input (JWT token)
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjMiLCJuYW1lIjoieXV0aWxzIiwiZXhwIjoxNzgwMDAwMDAwfQ.signature
Decoded (Header + Payload)
Header: { "alg": "HS256", "typ": "JWT" }
Payload: { "sub": "123", "name": "yutils", "exp": 1780000000 }Note
This tool only decodes. The exp claim is a Unix timestamp in seconds — paste it into the unix-timestamp tool for a human-readable date. Signature verification must happen on your server.
Usage / FAQ
When to use
- Inspect header/payload contents of a JWT from cookies or Authorization header
- Quickly read expiration (exp), issued-at (iat), or subject (sub) claims
- Verify issuer and audience match expectations during debugging
- Check the algorithm (alg) and key ID (kid) used by your backend
- Validate token shape visually on the frontend (decode-only, no signature check)
FAQ
- Q.Does this verify the signature?
- A.No. Signature verification requires the public key — pasting keys into external tools is discouraged. yutils decodes only. Verify on the server or with libraries like `jose`.
- Q.Is the token sent anywhere?
- A.No. All decoding runs in the browser. The token never reaches yutils or any external API.
- Q.If anyone can decode it, how is JWT secure?
- A.JWT payloads are designed to be readable — security comes from the signature (only the server's secret key can produce it). Never put sensitive data inside the payload.
Fun facts
The official pronunciation of JWT is 'jot'. RFC 7519 §1 literally says: "JWTs are pronounced 'jot'". In practice everyone still says J-W-T. The RFC authors seem to have given up.
RFC 7519 §1Early JWT libraries accepted the `alg: none` algorithm. If the token's author set the header to "no signature", the server skipped verification. In 2015 this design flaw exposed countless services to forged admin tokens, and most libraries now reject `none` by default.
Auth0 — JWT none vulnerabilityJWT payloads are encoded, not encrypted — anyone can Base64URL-decode them and read the contents. Never put passwords, credit card numbers, or other secrets in the payload. JWT's security comes from "the signature cannot be forged", not from confidentiality.
RFC 7519
Related tools
- Base64 Encode / Decode
Encode text to Base64 or decode Base64 back to text. Runs entirely in your browser, no data sent to any server.
- URL Encode / Decode
Percent-encode text for safe use in URLs, or decode percent-encoded URLs back to text. Runs entirely in your browser.
- UUID / ULID Generator
Generate UUID v4 (random), UUID v7 (time-ordered, RFC 9562), or ULID identifiers — all client-side via crypto.
- JWT Encoder (HMAC)
Generate a signed JSON Web Token with HS256/HS384/HS512 (HMAC-SHA). Payload and secret stay in your browser — Web Crypto API based.
- SHA Hash
Compute SHA-1, SHA-256, SHA-384, or SHA-512 hash of text. Uses the browser's Web Crypto API; no data is sent to any server.
- Hex Encode / Decode
Encode text to hexadecimal or decode hex back to text. Supports UTF-8 multi-byte characters and tolerates whitespace.
- HTML Entity Encode / Decode
Encode HTML special characters (&, <, >, ", ') to entities, or decode named/numeric entities back to text.
- Password Generator
Generate cryptographically strong passwords, tokens, random strings, and passphrases with entropy display.
- Number Base Converter
Convert numbers between bases (binary/octal/decimal/hex/base36) using BigInt for large integers. Auto-detects 0b/0o/0x prefixes.
- URL Parser
Decompose a URL into protocol, host, path, query parameters, and hash — read-only inspection.
- HMAC Generator
Compute HMAC (Hash-based Message Authentication Code) with SHA-1/256/384/512 using the Web Crypto API.
- HMAC Verify
Verify whether a given HMAC signature matches the message + secret. Constant-time comparison via Web Crypto API.
- MD5 Hash
Compute MD5 hash for text. Note: MD5 is broken for security — checksums and legacy compatibility only.
- Punycode (IDN)
Convert international domain names to/from Punycode (xn-- encoded ASCII). Uses native URL parser.
- HTTP Status Codes
Browse and search HTTP status codes (1xx-5xx) with descriptions and common usage.
- User-Agent Parser
Parse User-Agent strings into browser, OS, device, and engine fields.
- Bcrypt Hash
Hash passwords with Bcrypt or verify a plaintext against an existing hash. Configurable salt rounds.
- Cookie Parser
Parse Cookie or Set-Cookie strings into a table. Decode percent-encoded values. Supports Set-Cookie attributes (Path/Domain/Max-Age/SameSite/HttpOnly/Secure).
- IP / CIDR Calculator
Compute network address, broadcast, host range, mask, and host count from an IPv4 + CIDR.
- cURL Builder
Build cURL commands from URL/method/headers/body. Auto-detects JSON content-type.