JWT Decoder

JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims to be transferred between two parties. This decoder allows you to decode and inspect JWT tokens without verification, making it useful for debugging and development.

What is a JWT?

A JWT is composed of three parts separated by dots (.): Header, Payload, and Signature. The header typically consists of the token type (JWT) and the signing algorithm (like HMAC SHA256 or RSA). The payload contains claims - statements about an entity and additional data. The signature is used to verify the token hasn't been tampered with.

JWT Structure

• Header: Contains token type and algorithm (alg, typ)
• Payload: Contains claims like user ID, expiration time, roles
• Signature: Cryptographic signature to verify authenticity
• Format: xxxxx.yyyyy.zzzzz (Base64Url encoded)

Common Use Cases

JWTs are widely used for authentication and authorization in modern web applications. After a user logs in, each subsequent request includes the JWT, allowing the user to access routes, services, and resources permitted with that token. JWTs are also used in single sign-on (SSO), information exchange between parties, and stateless authentication mechanisms.

Important Security Note

This tool only decodes JWTs - it does NOT verify signatures. Decoding a JWT reveals its contents but doesn't validate its authenticity. In production, always verify JWT signatures on the server side. Never trust decoded JWT data without verification, as tokens can be modified. JWTs should be transmitted over HTTPS and stored securely to prevent unauthorized access.

Standard Claims

Common JWT claims include: iss (issuer), sub (subject), aud (audience), exp (expiration time), nbf (not before), iat (issued at), and jti (JWT ID). These registered claims provide a standard way to include important metadata in tokens. Custom claims can also be added to include application-specific data.