Summary
Quick way to peek inside a JWT without spinning up a debugger or hitting jwt.io. Paste in a token and you get the header, payload, and all claims formatted cleanly, with exp/iat timestamps converted to human-readable dates. It'll yell at you if it spots alg:none (the classic bypass attack), tokens with no expiry, or sensitive data sitting in plain view. This is decode only, no signature verification, so it's for inspection and debugging, not trust decisions. If you need to actually verify a token's signature, you want jwt-validate instead.
Install to Claude Code
npx -y skills add jsonwebtoken/jwt-skills --skill jwt-decode --agent claude-codeInstalls into .claude/skills of the current project.
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →
Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →
Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →
On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →
Files
SKILL.mdView on GitHub
JWT Decode
Decode a JWT by base64url-decoding its header and payload. Does NOT verify signatures — use jwt-validate for that.
Steps
- Split the token on
.into three parts (header, payload, signature). - Base64url-decode and parse parts 1 and 2 as JSON.
- Display header, payload (with all claims), and the raw signature string.
- For
exp,nbf,iat— show both the Unix timestamp and human-readable UTC. Ifexpis past, note expired and by how long. - Run security checks (see below).
Output Format
## Header
{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }
## Payload
{ "iss": "https://auth.example.com/", "sub": "user|12345", "exp": 1735689600 }
exp: 2025-01-01T00:00:00Z — EXPIRED (3 months ago)
iat: 2024-12-31T00:00:00Z
## Signature
Algorithm: RS256 | Signature: [base64url string]
(Not verified — use jwt-validate to verify)
Security Checks
Flag these prominently when found:
alg: none— Token is unsigned. Warn: "This token has no signature and cannot be trusted. Any party could have created or modified it." This is a known attack vector (CVE-2015-9235) where attackers strip signatures to bypass verification.- Sensitive data in payload — JWTs are encoded, not encrypted. Warn if you spot passwords, secrets, API keys, or PII in claims.
- Missing
exp— Token never expires. Flag as a security risk. jku/jwk/x5uin header — These can be used to trick verifiers into fetching attacker-controlled keys. Flag if present.
Notes
- If
ctyheader is "JWT", the payload is a nested JWT — decode recursively. - On decode failure, report the specific error (malformed base64, invalid JSON, wrong segment count).
- This skill only reveals token contents — it says nothing about authenticity. Direct users to
jwt-validatefor verification.
Featured
Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.
One time payment $9 →Integrate web data into your AI product. One API to scrape website & brand data.
Get API Key Now →Agent, run crypto. Access onchain data & trade routes via 1inch.
Install now →On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.
Start earning →First SeenJun 3, 2026
