PASETO Decoder
Paste a PASETO token to inspect its version, purpose, payload claims, footer, and signature. Decode-only — no key required, nothing leaves your browser.
About This Tool
The PASETO Decoder splits Platform-Agnostic SEcurity TOkens (PASETO) into their constituent parts so you can inspect what a token contains without running the full cryptographic verification flow. PASETO was designed as a safer alternative to JWT: instead of negotiating algorithms in the header, the version and purpose are baked into the token itself (e.g. v4.public), eliminating the entire class of alg=none and algorithm-confusion attacks that have repeatedly affected JWT implementations.
A PASETO token has the form version.purpose.payload[.footer]. The version (v1 through v4) selects a fixed cryptographic suite. The purpose is either local (symmetric, encrypted) or public (asymmetric, signed). The payload is a Base64url-encoded blob — for public tokens it's a signed JSON document you can read; for local tokens it's ciphertext that requires the symmetric key to decrypt. The optional footer is authenticated but never encrypted, and is commonly used to carry a key identifier (kid) hint.
This tool focuses on decoding, not verification. For public tokens it Base64url-decodes the payload and extracts the trailing signature (e.g. 64 bytes for Ed25519 in v2/v4). For local tokens it shows the raw ciphertext and authentication tag without attempting decryption. Standard reserved claims like iss, sub, aud, exp, iat, nbf, jti, and kid are highlighted with tooltip explanations, and PASETO's ISO-8601 exp claim is rendered with a live expiration countdown. When you need to flip between PASETO and JWT inspection, the JWT Decoder handles the latter; for working with raw signing keys, see the Encryption Playground. All processing happens client-side using atob and the standard Web APIs — your tokens are never transmitted anywhere.
How to Use
- Paste a PASETO token (e.g.
v4.public.eyJzdWI...) into the input area. - The tool auto-detects the version and purpose from the header prefix and splits the token into 3 or 4 parts (header, payload, optional footer, plus extracted signature/auth tag).
- For
publictokens, the payload JSON is rendered as a claim table; hover over claim names likeexpfor explanations. - The
expclaim (ISO 8601 in PASETO, unlike JWT's Unix seconds) shows a live countdown — green if active, red if expired. - If the token has a footer, it is decoded and shown separately;
kidhints typically live here. - Use the per-section Copy buttons or press Ctrl+Shift+C to copy the entire decoded structure as JSON.
- Refer to the PASETO Version Cryptography table at the bottom to see which algorithms each version uses.
PASETO guides & references
FAQ
What is PASETO?
PASETO (Platform-Agnostic SEcurity TOkens) is a token format designed as a safer alternative to JWT. Instead of letting the token header negotiate which algorithm to use, PASETO bakes the cryptographic suite into the version (v1-v4). This eliminates the alg=none and algorithm-confusion attack classes that have repeatedly broken JWT deployments.
How is PASETO different from JWT?
JWT lets the token declare its own algorithm in the header, which has caused several high-profile vulnerabilities. PASETO fixes the algorithm per version: v4.public always means Ed25519, v4.local always means XChaCha20+BLAKE2b. PASETO also uses ISO 8601 timestamps for exp/iat/nbf rather than Unix seconds, and supports an authenticated (but non-encrypted) footer.
What does each PASETO version mean?
v1 (legacy): AES-256-CTR + HMAC-SHA384 for local, RSA-PSS for public. v2 (legacy): XChaCha20-Poly1305 for local, Ed25519 for public. v3 (NIST/FIPS-friendly): AES-256-CTR + HMAC-SHA384 and ECDSA P-384. v4 (recommended modern default): XChaCha20 + BLAKE2b and Ed25519. New systems should use v4 unless they need NIST-approved primitives, in which case v3 is the choice.
Why is this decode-only? Why no signature verification?
Verification requires loading the correct public/symmetric key — and getting that wrong silently is exactly the failure mode PASETO was designed to prevent. Rather than ship a partial verifier that might mislead users, this tool focuses on inspection: showing structure, claims, and metadata. For real verification, use a hardened library like paseto-rs (Rust), paseto.js (JavaScript), or php-paseto in your application code.
Is my data safe?
Yes. The tool runs entirely in your browser using atob() and standard Web APIs — no token, payload, or footer is ever sent over the network or stored. That said, remember that public PASETO tokens have an unencrypted payload by design: anyone you paste a v*.public token to can read its claims. If a token is in production use, treat it like a credential and avoid pasting it into any web tool, including this one.
When should I use PASETO over JWT?
Use PASETO for new systems where you control both the issuer and the verifier, and you want to avoid the well-documented JWT footguns. Use JWT when you need to interoperate with OAuth 2.0, OpenID Connect, or other standards that mandate it, or when you must integrate with vendors who only speak JWT. Many teams also pick PASETO v4 for internal service-to-service tokens while still using JWT at the user-facing edge.
Can I decode a v*.local token's payload here?
No. local tokens are encrypted with a symmetric key — without that key, the payload bytes are opaque ciphertext and cannot be turned back into JSON. This tool will still show the version, purpose, raw ciphertext length, footer, and authentication tag length, which is usually enough for debugging issuance and routing problems.
Related Tools
JWT Decoder
Decode JSON Web Tokens to inspect header, payload, and verify signatures.
Base64 Encode/Decode
Encode and decode Base64 strings and files with drag-and-drop support.
Encryption Playground
Experiment with AES-GCM, AES-CBC, and RSA-OAEP encryption. Step-by-step visualization of the encryption process.
Hash Generator
Generate MD5, SHA-1, SHA-256, and SHA-512 hashes for text and files.
URL Encode/Decode
Encode and decode URLs, parse query parameters, and build query strings.