← Back to Home

JWT Decoder

Decode JSON Web Tokens and view their contents

What is JWT?

JWT Decoder Diagram

JWT Structure:

📋

Header

{
  "alg": "HS256",
  "typ": "JWT"
}
📦

Payload

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
🔐

Signature

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

How JWT Decoding Works:

1

Split Token

2

Decode Base64

3

Parse JSON

4

Display Results

Example:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}

Signature

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

How to Use the JWT Decoder

  1. Paste your JWT token in the input field
  2. Click "Decode JWT" to decode the token
  3. View the decoded header, payload, and signature
  4. Use the copy buttons to copy individual parts
  5. Use "Clear" to reset all fields

JWT Claims

Registered Claims

  • iss (issuer): Who issued the token
  • sub (subject): Who the token is about
  • aud (audience): Who the token is intended for
  • exp (expiration time): When the token expires
  • nbf (not before): When the token becomes valid
  • iat (issued at): When the token was issued
  • jti (JWT ID): Unique identifier for the token

Public Claims

These can be defined at will by those using JWTs. However, to avoid collisions, they should be defined in the IANA JWT Registry or be defined as a URI that contains a collision resistant namespace.

Private Claims

These are the custom claims created to share information between parties that agree on using them and are neither registered nor public claims.

Common JWT Use Cases

  • Authentication: Stateless authentication for web applications
  • Authorization: Access control and permissions
  • Information Exchange: Secure information exchange between parties
  • Single Sign-On (SSO): Cross-domain authentication
  • API Security: Securing REST APIs and microservices

JWT Security Considerations

⚠️ Security Note: This tool only decodes JWT tokens for viewing purposes. It does not verify signatures or validate tokens. Never use this tool with sensitive or production tokens in untrusted environments.

JWT vs Other Token Formats

JWT vs Session Tokens

  • JWT: Stateless, self-contained, larger size
  • Session Tokens: Stateful, server-side storage, smaller size

JWT vs OAuth Tokens

  • JWT: Token format and structure
  • OAuth: Authorization framework that can use JWTs

JWT Best Practices

  • Keep tokens as small as possible
  • Use strong signing algorithms (RS256, ES256)
  • Set appropriate expiration times
  • Validate all claims on the server side
  • Use HTTPS for token transmission
  • Store tokens securely on the client side
  • Implement proper token refresh mechanisms

JWT Libraries

  • JavaScript: jsonwebtoken, jose
  • Python: PyJWT, python-jose
  • Java: jjwt, java-jwt
  • .NET: System.IdentityModel.Tokens.Jwt
  • PHP: firebase/php-jwt

Frequently Asked Questions:

Does this tool validate the JWT signature?

What does it mean for JWTs to be 'stateless'?