Command Palette

Search for a command to run...

JWT

JWT Decoder

Decode JSON Web Tokens (JWT) locally.

JWT Token
Paste your JWT here

What

JWT Decoder definition

A JWT (JSON Web Token) is a compact token with header, payload, and signature; this tool decodes the token contents.

Cases

Use Cases

1

Inspect claims like issuer or expiration

2

Debug auth issues by reading payloads

3

Check token structure before validation

How To

How to Decode a JWT Token

A step-by-step guide to inspecting the header, payload, and signature of a JWT.

1

Paste JWT

Paste the JWT string into the input field.

2

View structure

The header and payload are decoded and displayed as JSON.

3

Review claims

Check payload claims like exp, iat, and sub.

Knowledge

Understanding JSON Web Tokens

What is a JWT?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims between two parties. It's commonly used for authentication and information exchange in web applications and APIs.
JWT Structure
JWTs consist of three parts separated by dots: Header (algorithm and token type), Payload (claims/data), and Signature (verification). Each part is Base64URL-encoded. The signature ensures the token hasn't been tampered with.
Common JWT Claims
Standard claims include: iss (issuer), sub (subject), aud (audience), exp (expiration), iat (issued at), nbf (not before), and jti (JWT ID). Custom claims can be added for application-specific data.
JWT Signing Algorithms
Common algorithms include HS256 (HMAC with SHA-256, symmetric) and RS256 (RSA with SHA-256, asymmetric). Asymmetric algorithms allow public key verification without sharing the private signing key.
JWT Security Considerations
Never store sensitive data in JWT payloads (they're only encoded, not encrypted). Always validate the signature server-side. Use short expiration times. Never use the 'none' algorithm in production.

FAQ

JWT decoder FAQ

What does this decoder do?
It Base64-decodes the header and payload locally; no secret key is required.
Does decoding verify the signature?
No. Decoding is not validation; signature verification needs the signing key on your server.
Where are JWTs used?
Authorization bearer tokens, API sessions, and short-lived access/refresh flows with exp/nbf claims.
How do I check expiration safely?
Read the exp/nbf claims and compare against current UTC time. Treat tokens without exp as long-lived and rotate them cautiously.
How did JWTs start?
JWT became an IETF standard (RFC 7519) in 2015 to share claims securely between parties using JSON and signatures.
How popular are JWTs now?
JWTs are widely used for web authentication, mobile APIs, and microservices because they are compact and language-agnostic.
What are common JWT use cases?
Bearer auth tokens, SSO session propagation, temporary download links, and user metadata transfer across services.
Any maintenance tips for JWTs?
Use short expirations, rotate signing keys, pin algorithms (avoid none), and keep payloads small to limit bandwidth and exposure.
JWT Decoder