JWT Decoder

Easily decode JWT (JSON Web Token) tokens.

Enter JWT token

Header

Read-only

Payload

Read-only

What is JWT Decoder?

JWT Decoder is a free online tool that allows you to easily decode and verify JWT (JSON Web Token). Using this tool, you can verify the header and payload contents from JWT tokens in real time, streamlining security verification and debugging tasks.

It is particularly valuable for developers, security engineers, and system administrators who need to quickly check authentication token contents or verify signatures. JWT is a widely used authentication mechanism in modern web applications and APIs, and this tool makes handling them simple and efficient.

Problems This Tool Solves

  • Token Verification and Analysis: Quickly check JWT contents received from APIs to verify appropriate data is included
  • Debugging Efficiency: Instantly view token contents when troubleshooting authentication issues
  • Development Cycle Acceleration: Improve workflow efficiency when repeatedly generating and verifying tokens during development and testing
  • Security Auditing: Security check to ensure token permissions and claims are appropriate
  • Educational Purposes: Use as a visual tool for understanding and learning JWT structure

How to Use

  1. Enter JWT Token: Paste the JWT token you want to decode and verify into the input field
  2. Real-time Decoding: The token's header and payload are instantly decoded and displayed in JSON format
  3. Copy Function: Copy the decoded information to clipboard as needed
  4. Error Checking: For invalid token formats, error messages indicate the specific issues

JWT Structure Explained

JWT is a string consisting of three parts separated by periods (.):

The part that indicates the token type and signing algorithm. Typically includes information such as:

{
  "alg": "HS256",
  "typ": "JWT"
}
  • alg: The algorithm used for signing (e.g., HS256, RS256, ES256)
  • typ: The token type (typically "JWT")

Payload

The part that stores the actual data (claims) contained in the token. Claims are categorized into three types:

  1. Registered Claims: Standardized claims
    • iss (issuer)
    • sub (subject)
    • exp (expiration time)
    • iat (issued at time)
    • nbf (not before time)
    • jti (JWT ID)
  2. Public Claims: Custom claims that should follow naming conventions to avoid collisions
  3. Private Claims: Non-public custom claims agreed upon between parties
{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1622600000,
  "exp": 1622603600
}

Signature

The result of applying the signing algorithm to the encoded header and payload along with the specified secret key. This ensures the token's integrity. This tool doesn't provide signature verification functionality, but allows you to check the contents of the header and payload.

Usage Example

Example: Analyzing User Authentication Token

When analyzing a JWT received from an API to check the user information and permissions it contains:

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c

Decoding this token displays:

Header:

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}

Security Considerations

  1. JWT Contents Are Not Secret: JWT is only Base64 encoded, not encrypted. Do not include sensitive information in the payload.
  2. Importance of Signatures: Using appropriate signing algorithms and strong secret keys is essential to prevent token tampering.
  3. Setting Expiration Dates: To reduce security risks, set appropriate expiration times for tokens.
  4. Public Decoding Tools: Exercise caution when decoding highly sensitive tokens using public online tools. This tool processes everything client-side and does not transmit data to any server.

Troubleshooting

Common Issues and Solutions

  • "Invalid Token Format" Error: Verify the JWT has three sections separated by periods
  • Invalid Characters: Check if the token contains line breaks or extra spaces
  • Payload Not Displaying: Verify the token format is correct and not a two-section JWT without a signature

Technical Background

JWT (JSON Web Token) is an open standard (RFC 7519) for securely transferring information as a compact and self-contained token in JSON format. It's primarily used for user authentication, access control, and information exchange.

It uses Base64URL encoding for the header and payload, and generates a signature using the specified algorithm. This ensures the integrity of information while enabling secure claim transfers.

This tool provides an interface to parse JWT strings and display the contained information in a human-readable format.