Back to Details

jwt-decode

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

JWT Decode

JWT解码

Decode a JWT by base64url-decoding its header and payload. Does NOT verify signatures — use 
jwt-validate
for that.
通过base64url解码JWT的头部和负载来解析JWT。不验证签名——如需验证请使用
jwt-validate

Steps

步骤

  1. Split the token on 
    .
    into three parts (header, payload, signature).
  2. Base64url-decode and parse parts 1 and 2 as JSON.
  3. Display header, payload (with all claims), and the raw signature string.
  4. For 
    exp
    , 
    nbf
    , 
    iat
    — show both the Unix timestamp and human-readable UTC. If 
    exp
    is past, note expired and by how long.
  5. Run security checks (see below).
  1. 将令牌按
    .
    分割为三部分(头部、负载、签名)。
  2. 对第1和第2部分进行base64url解码并解析为JSON。
  3. 显示头部、负载(包含所有声明)以及原始签名字符串。
  4. 对于
    exp
    nbf
    iat
    ——同时显示Unix时间戳和人类可读的UTC时间。如果
    exp
    已过期,标注已过期并说明过期时长。
  5. 运行安全检查(见下文)。

Output Format

输出格式

undefined
undefined

Header

Header

{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }
{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }

Payload

Payload

{ "iss": "https://auth.example.com/", "sub": "user|12345", "exp": 1735689600 }
exp: 2025-01-01T00:00:00Z — EXPIRED (3 months ago) iat: 2024-12-31T00:00:00Z
{ "iss": "https://auth.example.com/", "sub": "user|12345", "exp": 1735689600 }
exp: 2025-01-01T00:00:00Z — EXPIRED (3 months ago) iat: 2024-12-31T00:00:00Z

Signature

Signature

Algorithm: RS256 | Signature: [base64url string] (Not verified — use jwt-validate to verify)
undefined
Algorithm: RS256 | Signature: [base64url string] (Not verified — use jwt-validate to verify)
undefined

Security Checks

安全检查

Flag these prominently when found:
  • alg: none
     — Token is unsigned. Warn: "This token has no signature and cannot be trusted. Any party could have created or modified it." This is a known attack vector (CVE-2015-9235) where attackers strip signatures to bypass verification.
  • Sensitive data in payload — JWTs are encoded, not encrypted. Warn if you spot passwords, secrets, API keys, or PII in claims.
  • Missing 
    exp
     — Token never expires. Flag as a security risk.
  • jku
    /
    jwk
    /
    x5u
    in header     — These can be used to trick verifiers into fetching attacker-controlled keys. Flag if present.
当发现以下情况时,显著标记:
  • alg: none
     — 令牌未签名。警告:“此令牌无签名,不可信任。任何主体都可能创建或修改它。”这是已知的攻击向量(CVE-2015-9235),攻击者会移除签名以绕过验证。
  • 负载中包含敏感数据 — JWT是编码而非加密的。如果在声明中发现密码、密钥、API密钥或PII(个人身份信息),发出警告。
  • 缺少
    exp
    声明     — 令牌永不过期。标记为安全风险。
  • 头部中包含
    jku
    /
    jwk
    /
    x5u
     — 这些字段可被用于诱使验证者获取攻击者控制的密钥。如果存在则标记。

Notes

注意事项

  • If 
    cty
    header is "JWT", the payload is a nested JWT — decode recursively.
  • On decode failure, report the specific error (malformed base64, invalid JSON, wrong segment count).
  • This skill only reveals token contents — it says nothing about authenticity. Direct users to 
    jwt-validate
    for verification.
  • 如果头部的
    cty
    为“JWT”,则负载是嵌套JWT——需递归解码。
  • 解码失败时,报告具体错误(格式错误的base64、无效JSON、段数错误)。
  • 本技能仅展示令牌内容——不涉及真实性验证。引导用户使用
    jwt-validate
    进行验证。