What is a JWT Decoder?
A JWT decoder extracts and displays the information contained within a JSON Web Token. JWTs consist of three Base64URL-encoded parts separated by dots: the header specifies the signing algorithm, the payload contains the actual data (called claims), and the signature enables verification.
This tool decodes the header and payload instantly, revealing the token's contents without needing the signing key. It's invaluable for debugging authentication issues, understanding token contents, and verifying claim values during development.
Understanding JWT Structure
A JWT looks like: xxxxx.yyyyy.zzzzz. The first part (header) typically contains the algorithm (HS256, RS256, etc.) and token type. The second part (payload) carries the claims - user data, permissions, and metadata like expiration time.
The third part (signature) is created by encoding the header and payload, then signing with a secret. This signature lets recipients verify the token hasn't been tampered with - but only if they have the signing key.
Common JWT Claims
JWTs include standard claims (registered claims) and can include custom claims:
- iss (issuer) - Who created the token
- sub (subject) - Who the token refers to (usually user ID)
- exp (expiration) - Unix timestamp when token becomes invalid
- iat (issued at) - When the token was created
- aud (audience) - Intended recipient(s) of the token
- Custom claims - Your application's specific data (roles, permissions, etc.)
When to Use JWT Decoding
During development, you'll frequently need to inspect tokens. Is the user ID correct? Did the expiration get set properly? Are the required claims present? This decoder answers these questions instantly without writing code.
When debugging authentication failures, decoding the JWT often reveals the problem - an expired token, missing claims, or incorrect values. It's faster than adding console.log statements or breaking out cryptographic libraries.
JWT Security Considerations
JWTs are encoded, not encrypted. Anyone with a token can decode and read its contents. Never store sensitive information like passwords in JWT payloads. Treat token contents as readable by anyone who intercepts the token.
The security comes from the signature, not secrecy of contents. When properly signed and verified, JWTs prove that the data came from a trusted source and hasn't been modified. But this requires verification with the secret key - something this decoder cannot do.
Token Expiration
Most JWTs include an 'exp' claim specifying when they expire. This decoder checks if the current time exceeds that expiration, alerting you to expired tokens. Short expiration times (minutes to hours) enhance security by limiting how long a stolen token remains valid.
If your application's tokens expire too quickly, users face frequent re-authentication. Too slowly, and compromised tokens pose longer risks. The exp value you see reveals your system's current configuration.
Privacy Guarantee
This decoder runs entirely in your browser. Your JWTs never leave your device or pass through any server. We don't see, log, or store anything you paste. This makes it safe to decode tokens from production systems.
Still, be cautious about where you paste production tokens. While this tool is private, clipboard history, shared screens, or browser extensions could potentially capture sensitive tokens.
Frequently Asked Questions
What is a JWT (JSON Web Token)?
JWT is a compact, URL-safe token format used for securely transmitting information between parties. It consists of three parts: a header (algorithm info), payload (claims/data), and signature (verification). JWTs are commonly used for authentication and authorization in web applications.
Is it safe to decode JWTs in an online tool?
Yes, this tool processes JWTs entirely in your browser. The token never leaves your device or gets sent to any server. However, remember that JWT payloads are only encoded (Base64), not encrypted - anyone with the token can read its contents.
Can this tool verify JWT signatures?
This decoder displays the token's contents but doesn't verify signatures, as that would require the secret key or public key used to sign the token. For signature verification, you need the signing credentials from your authentication system.
Why does my JWT have three parts separated by dots?
The three parts are: Header (algorithm and token type), Payload (claims like user ID, expiration), and Signature (cryptographic verification). Each part is Base64URL encoded and joined by dots. This structure enables both data transport and integrity verification.
What does 'exp' mean in the payload?
The 'exp' claim is the expiration time as a Unix timestamp. After this time, the token should be rejected. Other common claims include 'iat' (issued at), 'sub' (subject/user ID), 'iss' (issuer), and 'aud' (audience).