JWT Decoder

What is a JWT Decoder and what does it do?

A JWT Decoder is a specialized development tool designed to parse and display the contents of a JSON Web Token (JWT). JWTs are a compact, URL-safe means of representing claims to be transferred between two parties. They are commonly used for authentication and information exchange in modern web applications.

A JWT consists of three parts separated by dots: a Header, a Payload, and a Signature. While the signature is used for verification, the Header and Payload are simply Base64Url encoded. Our tool takes this encoded string and instantly decodes it into readable JSON format, allowing you to inspect the algorithm used, the issuer, the expiration time, and any custom claims embedded within the token.

How to use the JWT Decoder

Inspecting your tokens is straightforward and secure:

1. Paste your Token: Copy your JWT (the long string starting with eyJ...) and paste it into the input area.
2. Automatic Parsing: The tool will instantly detect the three parts and display them in separate, syntax-highlighted blocks.
3. Inspect Header: Look at the "Header" section to see the token type and the signing algorithm (e.g., HS256 or RS256).
4. Inspect Payload: The "Payload" section contains the actual data (claims). You can verify the exp (expiration), iat (issued at), and sub (subject) fields.
5. Validation: Note that this tool decodes the content but does not verify the signature against a secret key. It is for inspection and debugging purposes.

The Structure of a JWT

A JSON Web Token follows a strict three-part structure:

• Header: Typically consists of two parts: the type of the token (JWT) and the signing algorithm being used.
• Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
• Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

The final JWT looks like this: base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + signature

Worked example

Let's look at a typical authentication token payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022,
  "exp": 1516242622
}

By decoding this with our tool, you can see that:

• The user ID (sub) is 1234567890.
• The user has admin privileges.
• The token was issued at a specific Unix timestamp (iat).
• The token will expire (exp) exactly one hour after it was issued.

Practical tips for Developers

• Never put sensitive data in JWT: Remember that JWTs are typically encoded, not encrypted. Anyone who intercepts the token can decode it. Never store passwords, credit card numbers, or sensitive PII in the payload.
• Verify Expiration: Always check the exp claim on your server to prevent using expired sessions.
• Check Algorithm: Be wary of tokens that use the none algorithm in the header, as this can be a security vulnerability if not handled correctly by your library.
• Debugging Auth: Use this tool to quickly verify that your backend is sending the correct user IDs or roles before you dive deep into code debugging.

Frequently asked questions

Is it safe to paste my JWT here? Yes. Our decoder runs entirely in your browser using JavaScript. Your token is never sent to our server or stored in any database. It stays on your machine.

Why can't I see the signature? The signature is a binary hash. While we show the raw signature string, it is not "readable" JSON like the header and payload. Its purpose is for machine verification, not human inspection.

What is Base64Url encoding? It is a variation of Base64 that replaces + with - and / with _ to make the token safe to use in URLs without escaping.