JWT Decoder
Decode and analyze JSON Web Tokens (JWT).
What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and authorization in modern web applications, APIs, and microservices architectures.
JWTs are self-contained tokens—they carry all the information needed to verify their authenticity and extract user data, eliminating the need for server-side session storage. This makes them ideal for stateless authentication in distributed systems.
JWT Structure
A JWT consists of three parts separated by dots (.):
Contains token type and signing algorithm.
{
"alg": "HS256",
"typ": "JWT"
}Contains claims (user data and metadata).
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}Verifies the token hasn't been tampered with.
HMACSHA256(
base64(header) + "." +
base64(payload),
secret
)Standard JWT Claims
The JWT specification defines several registered claims with specific meanings:
| Claim | Name | Description |
|---|---|---|
iss |
Issuer | Who issued the token (e.g., your auth server URL) |
sub |
Subject | The subject of the token (usually user ID) |
aud |
Audience | Intended recipient(s) of the token |
exp |
Expiration Time | Unix timestamp when token expires |
nbf |
Not Before | Unix timestamp before which token is not valid |
iat |
Issued At | Unix timestamp when token was issued |
jti |
JWT ID | Unique identifier for the token |
JWT Signing Algorithms
Symmetric Algorithms (HMAC)
HS256- HMAC with SHA-256HS384- HMAC with SHA-384HS512- HMAC with SHA-512
Same secret key signs and verifies. Simpler but requires secure key sharing.
Asymmetric Algorithms (RSA/ECDSA)
RS256- RSA with SHA-256RS384- RSA with SHA-384RS512- RSA with SHA-512ES256- ECDSA with SHA-256
Private key signs, public key verifies. Better for distributed systems.
How JWT Authentication Works
- Login: User sends credentials to authentication server
- Token Generation: Server validates credentials and generates JWT with user claims
- Token Storage: Client stores JWT (usually in localStorage or httpOnly cookie)
- API Requests: Client sends JWT in Authorization header:
Bearer <token> - Validation: Server validates signature and claims, then processes request
- Expiration: When token expires, user must re-authenticate or use refresh token
JWT Security Best Practices
Never create tokens without expiration. Short-lived tokens (15 minutes to 1 hour) limit the damage if a token is stolen. Use refresh tokens for longer sessions.
- httpOnly cookies: Best protection against XSS (JavaScript can't access)
- localStorage: Convenient but vulnerable to XSS attacks
- sessionStorage: Cleared when tab closes; still XSS vulnerable
Always verify the algorithm matches what you expect. The infamous "alg: none" attack exploits servers that accept unsigned tokens. Never accept "alg": "none" in production.
For HMAC algorithms, use cryptographically random secrets at least 256 bits long. Weak secrets can be brute-forced to forge tokens.
JWT payloads are base64-encoded, not encrypted. Anyone can decode and read them. Never include passwords, credit cards, or other sensitive data in the payload.
JWT vs Sessions: When to Use Each
| Factor | JWT | Server Sessions |
|---|---|---|
| Scalability | Excellent - stateless | Requires session store |
| Revocation | Difficult - needs blocklist | Easy - delete session |
| Storage | Client-side | Server-side |
| Microservices | Great fit | Needs shared store |
| Mobile Apps | Works well | Cookie handling issues |
Security Note
This decoder cannot verify signatures because it doesn't have access to the secret key.
To verify a JWT's authenticity, you need the secret key (for HMAC) or public key (for RSA/ECDSA).
Common JWT Libraries
- Node.js: jsonwebtoken
- Python: PyJWT
- Java: jjwt, auth0-java-jwt
- Go: golang-jwt
- Ruby: ruby-jwt
- PHP: firebase/php-jwt
- .NET: System.IdentityModel.Tokens.Jwt