JWT Decoder
Instantly decode JWT tokens and inspect headers, payloads, and signatures. Provides HMAC signature verification, expiration checking, and history storage features.
JWT Decoder
Enter a JWT token to decode it automatically
What is JWT Decoder?
JWT Decoder is a developer tool that analyzes JSON Web Tokens (JWT) to inspect their internal structure and data. JWT is a widely used standard (RFC 7519) for user authentication and information exchange in web applications. This tool allows you to easily analyze the header, payload, and signature of any token.
Key Features
- Real-time Decoding: Enter a JWT token and instantly see the header and payload displayed in JSON format.
- Signature Verification: Verify the validity of tokens signed with HMAC algorithms (HS256, HS384, HS512).
- Expiration Time Check: Time-related claims like exp, iat, and nbf are converted to human-readable date formats.
- History Management: Save recently decoded tokens for quick access later.
- 100% Client-side Processing: All decoding happens in your browser, ensuring security and privacy.
Understanding JWT Structure
A JWT consists of three parts separated by dots (.):
- Header: Specifies the token type (typ) and signing algorithm (alg). Example: {“alg”: “HS256”, “typ”: “JWT”}
- Payload: Contains the actual data called claims. This includes user information, permissions, expiration time, and more.
- Signature: The result of signing the encoded header and payload with a secret key. Used to prevent token tampering.
Common Claims Explained
JWT payloads can contain various standard claims:
- iss (Issuer): Identifies the entity that issued the token.
- sub (Subject): Represents the subject of the token (usually the user ID).
- aud (Audience): Specifies the intended recipient of the token.
- exp (Expiration Time): The token’s expiration time. The token is invalid after this time.
- nbf (Not Before): The token is not valid before this time.
- iat (Issued At): The time when the token was issued.
- jti (JWT ID): A unique identifier for the token.
How to Use
- Paste a JWT token into the input field, or click the Sample button to see an example.
- Once a token is entered, the header, payload, and signature information are automatically displayed.
- If signature verification is needed, enter your secret key in the Secret Key field.
- Time-related claims are automatically converted to readable date formats.
- Recently decoded tokens are saved in history for later reference.
Security Considerations
- Handle Sensitive Data Carefully: JWT payloads are not encrypted, only Base64 encoded. Never include sensitive information in the payload.
- Always Verify Signatures: In production environments, always verify signatures to prevent token tampering.
- Check Expiration Times: Always check the exp claim to avoid using expired tokens.
- Use HTTPS: Always use HTTPS when transmitting JWTs to prevent token theft.
Frequently Asked Questions
What is a JWT token?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties. It’s self-contained, meaning all necessary information is stored within the token itself, enabling user authentication without a separate session store. JWTs are widely used in web application login systems, API authentication, and Single Sign-On (SSO) implementations.
What is the difference between JWT and session-based authentication?
Session-based authentication stores user information on the server and only provides a session ID to the client. JWT, on the other hand, includes all information within the token itself, eliminating the need to maintain server state (stateless). This makes JWT ideal for distributed systems and microservices architectures, allowing for easier server scaling.
Is JWT decoding secure?
This JWT decoder runs 100% in your browser and never sends any data to a server. However, JWT payloads are not encrypted—they’re only Base64 encoded—so anyone can decode them. Therefore, you should never include sensitive information like passwords or credit card numbers in a JWT.
What is the difference between HS256 and RS256 algorithms?
HS256 (HMAC-SHA256) is a symmetric key algorithm that uses the same secret key for both signing and verification. RS256 (RSA-SHA256) is an asymmetric key algorithm that signs with a private key and verifies with a public key. HS256 is simpler to implement and faster, while RS256 allows secure distribution of the public key, making it advantageous in microservices environments.
What should I do when a JWT token expires?
When a JWT expires, you need to obtain a new token. The common approach is to use a Refresh Token to renew the Access Token. Access Tokens have short expiration times (e.g., 15 minutes) while Refresh Tokens have longer ones (e.g., 7 days). This balances security with user experience.
Where should I store JWTs?
JWTs can be stored in localStorage, sessionStorage, or cookies. localStorage is convenient but vulnerable to XSS attacks. HttpOnly cookies are more secure since JavaScript cannot access them, but you need to protect against CSRF attacks. For security-critical applications, we recommend using cookies with HttpOnly, Secure, and SameSite attributes.
Why is signature verification necessary?
Signature verification confirms that a JWT has not been tampered with. If a malicious user modifies the payload, the signature won’t match. The server recalculates the signature using the secret key and compares it to the signature in the token to verify integrity. Without this process, anyone could modify a token to impersonate another user.