What's actually inside a JWT
A JSON Web Token is three base64url-encoded parts separated by dots: header.payload.signature. The header says which algorithm signed it; the payload holds the claims (who the token is for, when it expires, what it can do); the signature proves it hasn't been tampered with — if you have the key to check. Critically, the first two parts are encoded, not encrypted: anyone holding the token can read every claim. Never put a secret in a JWT payload.
The claims that matter for security
exp (expiry) is the big one — a token with no exp, or one valid for months, is a credential that stays dangerous long after it leaks. alg matters too: alg:none means unsigned (forgeable), and a server that accepts it is critically vulnerable. Short lifetimes and a strong, fixed algorithm are the baseline.
A token is one credential. What governs the system it unlocks?
Decoding a JWT tells you what a credential can do. Infraveil governs what anything — a user, a service, or an AI agent holding that token — is actually allowed to do to your production backend: least-privilege access, a human-approval gate on destructive actions, and a tamper-evident audit trail, on servers you own.
See the live demo →Frequently asked questions
Is it safe to paste a JWT here?
Decoding runs entirely in your browser — nothing is uploaded. Still, a JWT is a credential; only paste tokens into tools you trust. This one works offline.
Does this verify the signature?
No — that needs the key, which you should never paste into a web tool. This decodes + flags risky settings. Decoding ≠ verification.
What does alg:none mean?
The token is unsigned and forgeable. A server accepting alg:none is critically vulnerable; it must reject it.