Go Premium

No ads • Priority support • Export to PDF

100% Private

JWT Decoder

Decode and inspect JSON Web Tokens

Paste a JWT to decode

Enter a JSON Web Token above to see its decoded header, payload, and signature

About JSON Web Tokens

Header

Contains the token type (JWT) and the signing algorithm being used (HS256, RS256, etc.)

Payload

Contains the claims - statements about the user and additional metadata

Signature

Used to verify the message wasn't changed and authenticate the sender

JWT Decoder - Decode and Inspect JSON Web Tokens

Decode, inspect, and debug JSON Web Tokens (JWT) with our free online JWT decoder. View the header, payload, and signature of any JWT token instantly. Perfect for developers working with authentication, OAuth, and secure API communication.

What is a JSON Web Token (JWT)?

A JSON Web Token is a compact, URL-safe way to represent claims to be transferred between two parties. JWTs are commonly used for authentication and information exchange in modern web applications. They consist of three parts separated by dots: Header.Payload.Signature.

JWT Structure Explained

  • Header: Contains the token type (JWT) and the signing algorithm (e.g., HS256, RS256). This tells the system how to verify the token's signature.
  • Payload: Contains the claims - statements about an entity (typically the user) and additional data. Includes standard claims like iss (issuer), exp (expiration), sub (subject), and custom claims.
  • Signature: Created by encoding the header and payload, then signing with a secret key or private key. This ensures the token hasn't been tampered with.

Common JWT Claims

  • iss (Issuer): Who created and signed the token
  • sub (Subject): Who the token is about (usually user ID)
  • aud (Audience): Who the token is intended for
  • exp (Expiration): When the token expires (Unix timestamp)
  • iat (Issued At): When the token was created
  • nbf (Not Before): Token not valid before this time
  • jti (JWT ID): Unique identifier for the token

How JWTs Work in Authentication

  1. User logs in with credentials
  2. Server validates credentials and creates a JWT
  3. JWT is sent to the client (usually stored in localStorage or cookies)
  4. Client includes JWT in subsequent API requests (Authorization header)
  5. Server validates the signature and checks expiration
  6. If valid, server processes the request

JWT Signing Algorithms

  • HS256 (HMAC with SHA-256): Symmetric algorithm using a shared secret
  • RS256 (RSA with SHA-256): Asymmetric algorithm using public/private key pair
  • ES256 (ECDSA with SHA-256): Asymmetric algorithm with elliptic curve cryptography

JWT Security Best Practices

  • Always use HTTPS to transmit JWTs
  • Keep tokens short-lived (15 minutes to 1 hour for access tokens)
  • Use refresh tokens for long-lived sessions
  • Never store sensitive data in the payload (it's Base64 encoded, not encrypted)
  • Validate the signature on every request
  • Check expiration times (exp claim)
  • Use strong signing algorithms (RS256 recommended for production)
  • Rotate signing keys regularly

Common JWT Use Cases

  • Single Sign-On (SSO): Authenticate once, access multiple applications
  • API Authentication: Secure REST APIs without server-side sessions
  • OAuth 2.0: Standard protocol for authorization
  • Microservices: Pass user context between services
  • Mobile Apps: Stateless authentication for mobile clients

JWT vs Session Cookies

JWTs: Stateless, scalable, work across domains, larger size, can't be revoked easily.

Session Cookies: Stateful, require server storage, domain-restricted, smaller size, easy to revoke.

Choose JWTs for distributed systems and microservices. Choose session cookies for traditional server-rendered applications with centralized authentication.

Sponsored

Premium Partner

Check out this recommended service.

Privacy First

Unlimited history • Encrypted backups