jwt-decode
Installation
SKILL.md
JWT Decode
Decode a JWT by base64url-decoding its header and payload. Does NOT verify signatures — use jwt-validate for that.
Steps
- Split the token on
.into three parts (header, payload, signature). - Base64url-decode and parse parts 1 and 2 as JSON.
- Display header, payload (with all claims), and the raw signature string.
- For
exp,nbf,iat— show both the Unix timestamp and human-readable UTC. Ifexpis past, note expired and by how long. - Run security checks (see below).
Output Format
## Header
{ "alg": "RS256", "typ": "JWT", "kid": "abc123" }