JWT Decoder
Decode and inspect JSON Web Tokens (JWT). View header, payload, and verify signature information.
About JWT Decoder
A JWT (JSON Web Token) decoder parses and displays the contents of JWT tokens, showing the header, payload, and signature information in a readable format. JWTs are widely used for authentication and authorization in web applications — they carry user identity claims and session information between the client and server. Understanding what is inside a JWT is essential for debugging authentication issues, verifying token claims, and auditing security configurations.
How to Use
Paste your JWT token (a string with three parts separated by dots: header.payload.signature) into the input field. The decoder instantly parses and displays the decoded header (algorithm and token type), payload (claims and data), and signature information. It shows whether the signature is valid (for HS256 tokens with a known secret) and highlights the expiration time.
Formula / Key Equations
JWT structure: Header (Base64URL encoded JSON) contains alg and typ. Payload (Base64URL encoded JSON) contains claims like sub (subject), iat (issued at), exp (expiration), aud (audience), iss (issuer). Signature = HMAC(header + '.' + payload, secret) or RSA/ECDSA signing. The middle dot separates the three parts.
Common Use Cases
Debugging authentication and authorization issues in web applications. Verifying token claims and expiration times. Auditing JWT configuration for security best practices. Understanding what data is stored in tokens from third-party services. Learning JWT structure and claims. Testing token-based API authentication.
Limitations
The decoder only verifies HS256 signatures if you provide the secret key. It cannot verify RS256, ES256, or other asymmetric algorithms without the public key. Decoding a JWT does not validate that the token was issued by a legitimate authority — anyone can create a JWT with any payload. Never trust JWT claims without proper signature verification on the server side.
Frequently Asked Questions
What is a JWT and how does it work?
A JSON Web Token (JWT) is a compact, URL-safe token that contains three parts: a header (metadata about the token), a payload (claims or data), and a signature (proof of authenticity). The server signs the token with a secret key and the client sends it with each request for authentication.
Is it safe to decode JWT tokens?
Yes, decoding the header and payload is safe and intentional — they are just Base64URL-encoded JSON that anyone can read. The security comes from the signature, which prevents tampering. Only the server with the secret key can create valid signatures.
What claims should a JWT contain?
Standard claims (registered claims) include: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time), iat (issued at time), and jti (unique token ID). Custom claims can include user roles, permissions, or any application-specific data. Keep the payload small to minimize token size.
How long should a JWT be valid?
Short-lived access tokens (5-15 minutes) combined with longer-lived refresh tokens (days/weeks) is the recommended pattern. This limits the damage if a token is stolen. For stateless JWTs (no server-side session), shorter expiration times are especially important since tokens cannot be revoked.
What is the difference between JWT and session cookies?
JWTs are self-contained tokens carrying user data, ideal for stateless APIs and microservices. Session cookies reference server-side session storage, ideal for traditional server-rendered apps. JWTs work across domains and services, while session cookies are tied to a specific domain and require server-side storage.