Logo

MonoCalc

/

Token Decoder

Encode/Decode

About This Tool

🔍 Token Decoder – Universal Token Inspection & Analysis

The Token Decoder is a browser-based tool that automatically detects and decodes virtually any token or encoded string you encounter during development, security auditing, or API integration work. Paste a JWT, a Base64 string, a hex-encoded payload, a URL percent-encoded value, a UUID, or an opaque API key — and the tool instantly reveals its internal structure, contents, and security properties.

All decoding is performed entirely client-side in your browser. Your tokens never leave your device, making it safe to inspect development and staging credentials.

🧩 Supported Token Formats

FormatDetection SignalDecoding Method
JWT3 dot-separated Base64URL segments starting with eyJBase64URL decode each part, JSON.parse
Base64Characters in [A-Za-z0-9+/=], length divisible by 4atob() → UTF-8 or JSON
Base64URLCharacters in [A-Za-z0-9-_=], URL-safe alphabetReplace -/_ → +//, pad, atob()
HexAll characters in [0-9a-fA-F], even length ≥ 4Parse pairs as bytes → ASCII
URL-EncodedContains %XX percent-encoding sequencesdecodeURIComponent()
UUIDMatches RFC 4122 pattern (8-4-4-4-12)Parse version and variant fields
Opaque / API KeyFalls through all above patternsEntropy analysis + prefix detection

🔐 JWT Decoding in Depth

JSON Web Tokens (JWTs) follow the RFC 7519 standard and consist of three Base64URL-encoded parts separated by dots:

Header — algorithm (alg) and token type (typ), plus optional key ID (kid).

Payload — claims about the subject: identity (sub, name, email), permissions (scope, role), and timing (exp, iat, nbf).

Signature — HMAC or RSA/EC signature over header + payload to prevent tampering. The tool reports it as Unverified unless you supply the HMAC secret.

The decoder shows each section in a separate tab, provides a Claims Breakdown Table with plain-English descriptions for all standard iss, sub, aud, exp, nbf, iat, and jti claims, and converts Unix epoch timestamps to ISO 8601 or local time.

⚠️ Security Warnings & Checks

The tool automatically flags the following conditions:

🔴 Algorithm: none

A JWT with alg set to "none" has no signature and can be forged by anyone. Any server that accepts these tokens without verification is critically vulnerable.

🟠 Expired Token

When the current time is past the exp claim, the token is flagged as expired. Expired tokens should be rejected by APIs — if they are not, that is a server-side misconfiguration.

🟡 Short HMAC Secret

Secrets under 16 characters for HS256/HS384/HS512 tokens are susceptible to offline brute-force attacks. Use a random secret of at least 32 characters.

🟡 Low Entropy Token

Tokens with Shannon entropy below 3.0 bits/char may be weak, structured, or sequentially generated — making them easier to predict or enumerate.

📊 Entropy Analysis

Shannon entropy is calculated using the formula H(X) = -Σ p(xᵢ) × log₂(p(xᵢ)), where p(xᵢ) is the relative frequency of each character in the string. The result is expressed in bits per character:

≥ 4.5 bits/char — High entropy, strong random token ✅

3.0 – 4.5 bits/char — Medium entropy, review token generation 🟡

< 3.0 bits/char — Low entropy, potentially weak or structured 🔴

🗝️ API Key Pattern Recognition

For opaque tokens that do not match any standard encoding, the tool performs prefix pattern matching to identify well-known key formats — including Stripe (sk_live_, pk_test_), GitHub (ghp_), Slack (xoxb-), Google (AIza, ya29.), and AWS (AKIA). This helps developers quickly understand what service a leaked or unknown token belongs to.

💡 Practical Use Cases

Debugging authentication flows — Paste a JWT from your browser's network tab to inspect claims and verify the token hasn't expired.

Security audits — Check for weak algorithms, expired tokens, short secrets, or low-entropy credentials in test environments.

API integration — Decode Base64-encoded API responses or hex payloads returned by third-party services without writing one-off scripts.

Education & onboarding — Understand the structure of JWTs and OAuth tokens when learning about modern authentication standards.

Frequently Asked Questions

Is the Token Decoder free?

Yes, Token Decoder is totally free :)

Can I use the Token Decoder offline?

Yes, you can install the webapp as PWA.

Is it safe to use Token Decoder?

Yes, any data related to Token Decoder only stored in your browser (if storage required). You can simply clear browser cache to clear all the stored data. We do not store any data on server.

What token formats does this decoder support?

The Token Decoder auto-detects and handles JWT (JSON Web Tokens), Base64 and Base64URL strings, hexadecimal-encoded data, URL percent-encoded strings, UUIDs, and opaque/API key tokens. For unrecognized formats, it performs entropy analysis and pattern matching.

How does the JWT decoding work?

The tool splits the token on dots, Base64URL-decodes each of the three segments (header, payload, signature), and parses the JSON. It then annotates standard claims like `exp`, `iat`, `sub`, `iss`, and `aud`, and checks whether the token is expired, active, or not-yet-valid based on current time.

Is my token sent to a server?

No. All decoding happens entirely in your browser using JavaScript. No token data is transmitted to any server, making it safe to inspect development and staging tokens. Exercise caution with production credentials.

What is entropy analysis and why does it matter?

Shannon entropy measures the randomness of the token string in bits per character. High entropy (> 4.5 bits/char) indicates a strong, cryptographically random token. Low entropy (< 3.0 bits/char) may suggest a weak or structured token that is easier to guess or brute-force.

Why does the tool show a security warning for 'alg: none'?

The `alg: none` algorithm in a JWT header means the token has no signature, making it trivially forgeable. Any server that accepts such tokens without verification is vulnerable to token tampering attacks. This tool flags this condition as a critical security risk.

Can I verify the JWT signature with this tool?

Yes. Provide an HMAC secret for HS256/HS384/HS512 tokens, and the tool will attempt signature verification using the Web Crypto API. RSA and EC key verification is not supported in this version. Without a secret, the signature is shown as 'Unverified' rather than invalid.