ad

JWT Decoder

Decode JWTs to inspect header, payload, and expiry status.

What is a JSON Web Token (JWT)?

A JWT is a compact token format used to securely transmit information between parties as a JSON object. JWTs are digitally signed using a secret (HMAC) or a public/private key pair (RSA or ECDSA), which means their contents can be trusted and verified.

A JWT consists of three parts: the header (algorithm and token type), the payload (claims/data), and the signature (verification). Each part is Base64url-encoded and separated by dots.

How JWT Authentication Works

  1. User logs in with credentials (username/password)
  2. Server validates credentials and creates a signed JWT containing user info
  3. Client stores the JWT (usually in memory or an httpOnly cookie)
  4. Client sends the JWT in the Authorization header with each API request
  5. Server verifies the signature and extracts user info from the payload

This approach is stateless — the server doesn't need to store session data, making it ideal for distributed systems and microservices.

JWT Security Best Practices

  • Use short expiration times (15-60 minutes) with refresh tokens
  • Never store sensitive data in the payload — it's only encoded, not encrypted
  • Use RS256 (asymmetric) instead of HS256 (symmetric) for multi-service architectures
  • Always validate the signature, expiration, and issuer on the server
  • Store JWTs in httpOnly cookies to prevent XSS attacks, not in localStorage

Frequently Asked Questions

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe token format defined by RFC 7519. It consists of three Base64url-encoded parts separated by dots: header.payload.signature. JWTs are commonly used for authentication and authorization in web applications.
Can this tool verify JWT signatures?
This tool decodes and displays the JWT contents (header and payload). Signature verification requires the secret key or public key, which should never be shared with online tools. Verify signatures server-side.
Is it safe to paste my JWT here?
Yes — all decoding happens in your browser. However, JWTs are bearer tokens: anyone who has the token can use it. Never share production JWTs in public places. For testing, use short-lived tokens or tokens from development environments.
What are common JWT claims?
Standard claims include: sub (subject/user ID), iss (issuer), exp (expiration time), iat (issued at), aud (audience), nbf (not before), and jti (JWT ID). Custom claims can contain any application-specific data.
Why does my JWT show as expired?
JWTs have an "exp" claim containing a Unix timestamp. If the current time is past that timestamp, the token is expired. Servers should reject expired tokens. Check the "exp" field in the decoded payload to see the exact expiry time.
ad