Skip to main content

JWT Decoder

Decode and inspect JSON Web Tokens

Enter a JWT token and click "Decode JWT"

About JWT (JSON Web Tokens)

What is a JWT?

JWT (JSON Web Token) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed.

  • Compact: JWTs can be sent through URL, POST parameters, or HTTP headers
  • Self-contained: Contains all necessary information about the user, avoiding database queries
  • Stateless: No need to store session information on the server
  • Secure: Can be signed using a secret or public/private key pair

JWT Structure

A JWT consists of three parts separated by dots (.):

  1. Header: Contains the type of token and the signing algorithm
  2. Payload: Contains the claims (statements about an entity and additional data)
  3. Signature: Used to verify the token hasn't been altered

Format: header.payload.signature

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Common Use Cases

  • Authentication: After login, each request includes the JWT, allowing the user to access routes and resources
  • Authorization: Once logged in, users can access resources permitted by their token
  • Information Exchange: Securely transmit information between parties
  • Single Sign-On (SSO): Share authentication state across multiple domains
  • API Security: Authenticate API requests without storing session state

JWT Claims

Claims are statements about an entity and additional metadata. There are three types:

  • Registered claims: Predefined claims like iss (issuer), exp (expiration), sub (subject)
  • Public claims: Can be defined at will but should be registered in the IANA JWT Registry
  • Private claims: Custom claims created to share information between parties

Common claims:

  • iss - Issuer: who created and signed the token
  • sub - Subject: the user this token refers to
  • aud - Audience: who the token is intended for
  • exp - Expiration: when the token expires
  • iat - Issued at: when the token was issued
  • nbf - Not before: token is not valid before this time

Example JWT Token

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

Encoded Token:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyLCJleHAiOjE1MTYyNDI2MjJ9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Security Best Practices

  • Always use HTTPS: Transmit JWTs only over secure connections
  • Set expiration times: Use short expiration times for sensitive operations
  • Validate tokens: Always verify the signature and claims on the server
  • Store securely: If storing JWTs client-side, use httpOnly cookies when possible
  • Don't put sensitive data: JWT payloads are base64 encoded, not encrypted
  • Use strong secrets: Use cryptographically strong secrets for signing

Related tools

For document privacy: PDF to Markdown — convert PDFs to Markdown without sending them to the cloud.

Related Articles