📚 About JWT (JSON Web Tokens)
Everything you need to know about JWT and how to decode and verify tokens
What is JWT?
JWT (JSON Web Token) is an open standard (RFC 7519) for creating compact, self-contained tokens that securely transmit information between parties as JSON objects. It's widely used for:
- Authentication: User login and session management
- Authorization: Granting access to protected resources
- Information Exchange: Securely transmitting claims between services
- API Access: OAuth 2.0 token flows and REST APIs
- Single Sign-On (SSO): Cross-domain authentication
- Microservices: Inter-service communication
JWT Structure
A JWT consists of three parts separated by dots (.):
- Header: Contains token type and hashing algorithm
- Payload: Contains claims (user data)
- Signature: Ensures token integrity and authenticity
xxxxx.yyyyy.zzzzz
Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Tool Features
- Instant JWT decoding
- Display header, payload, and signature
- Formatted JSON output
- Syntax highlighting
- Copy decoded data to clipboard
- Works 100% in your browser (no server upload)
- Support for all JWT algorithms
Common Claims
- aud: Audience - who the token is intended for
- exp: Expiration Time - when token expires (Unix timestamp)
- iat: Issued At - when token was issued
- iss: Issuer - who issued the token
- nbf: Not Before - when token becomes valid
- sub: Subject - typically the user ID
- jti: JWT ID - unique identifier for the token
Common Use Cases
- User Authentication: Login and session tokens
- API Authorization: Bearer token authentication
- Email Verification: Secure email confirmation links
- Password Reset: Temporary reset tokens
- OAuth 2.0: Access and ID tokens
- Service-to-Service: Microservice authentication
How to Use This Tool
- Copy your JWT token from your application
- Paste it in the JWT Token input area
- Click the Decode JWT button
- View the decoded header, payload, and signature
- Click to copy decoded data
⚠️ Note: This tool only decodes tokens. It does NOT verify the signature. Always verify signatures on your server.
Understanding JWT Header
The header typically contains two properties:
"alg": "HS256",
"typ": "JWT"
}
Common Algorithms:
- HS256: HMAC with SHA-256 (symmetric)
- RS256: RSA with SHA-256 (asymmetric)
- ES256: ECDSA with SHA-256
- PS256: RSA PSS with SHA-256
Security Best Practices
✅ DO:
- Always verify signatures on the server
- Use HTTPS to transmit tokens
- Store tokens securely (HttpOnly cookies or secure storage)
- Set short expiration times (exp claim)
- Use strong secrets for HMAC algorithms
- Implement token refresh mechanisms
- Validate all claims (exp, nbf, aud, iss)
❌ DON'T:
- Trust decoded claims without verification
- Use 'none' algorithm in production
- Store sensitive data in the payload
- Transmit tokens in URLs (use headers)
- Use weak secrets or hardcoded keys
- Ignore token expiration
- Log entire tokens in production
Common Issues & Solutions
❌ Invalid Token Format
Solution: Ensure the token has exactly 3 parts separated by dots. Check for extra spaces or line breaks.
❌ Decoding Error
Solution: The token might be corrupted. Try regenerating it from your application.
❌ Token Expired
Solution: Check the 'exp' claim. If it's in the past, request a new token using refresh token.
❌ Signature Invalid
Solution: Token may have been tampered with. Verify on server using the correct secret/key.
Related Tools
- Base64 Encoder/Decoder - Encode/decode Base64 data
- JSON Formatter - Format and validate JSON
- MD5 Hasher - Generate MD5 hashes
- URL Encoder/Decoder - Encode/decode URLs
RFC Standard
JWT is defined in RFC 7519, which specifies the standard format and processing rules for JSON Web Tokens.
This tool supports decoding of standard JWT tokens according to the RFC 7519 specification and is compatible with tokens from most authentication systems and OAuth 2.0 providers.