§ jwt
jwt.
Paste a JSON Web Token, get its header, payload, and a list of common red flags: alg=none, missing exp, expired, missing iss/aud, anomalously long lifetime.
- signature
- shown but not verified — verification needs the issuer's public key.
- URL state
- token is not reflected in the URL (avoids leaking via browser history).
nothing is logged or stored. URL state is intentionally disabled here so a token can't leak through browser history.