What does a JWT decoder do?

A JWT decoder takes a Base64Url-encoded JWT string and decodes it into its three components: the header, the payload (containing claims), and the signature. It formats the JSON for easy reading and displays additional information like expiration status and algorithm details.

Can this tool validate JWT signatures?

This tool decodes and inspects JWTs but does not perform cryptographic signature verification. Signature verification requires the secret or public key, which should be done server-side in your application.

Is decoding a JWT safe?

Yes. Decoding a JWT simply reads the Base64Url-encoded content. The payload and header are not encrypted — they are only encoded. However, the signature ensures integrity, so never trust a token's claims without verifying its signature on your server.

Can I use this tool on my phone?

Yes! Our JWT decoder is fully responsive and works on all devices including phones, tablets, and desktop computers.

What is JWT? A Complete Guide to JSON Web Tokens

Learn everything about JSON Web Tokens (JWT) - how they work, their structure, and why they are widely used for authentication and authorization.

What is a JSON Web Token?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.

In simple terms, JWT is like a digital passport. It contains identity claims (who you are), permissions, and other metadata — all packed into a single string that can be verified by the receiving party.

The Structure of a JWT

A JWT consists of three parts separated by dots (.):

header.payload.signature

Therefore, a JWT typically looks like this:

xxxxx.yyyyy.zzzzz

1. Header

The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "typ": "JWT"
}

Then, this JSON is Base64Url encoded to form the first part of the JWT.

2. Payload

The second part of the token is the payload, which contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.

Registered claims: These are a set of predefined claims which are not mandatory but recommended, to provide a set of useful, interoperable claims. These include iss (issuer), exp (expiration time), sub (subject), aud (audience), among others.
Public claims: These can be defined at will by those using JWTs. But to avoid collisions, they should be defined in the IANA JSON Web Token Registry or be a public name.
Private claims: These are custom claims created to share information between parties that agree on using them.

An example payload could be:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022,
  "exp": 1516242622
}

The payload is then Base64Url encoded to form the second part of the JWT.

3. Signature

To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

For example, if you want to use the HMAC SHA256 algorithm, the signature will be created in the following way:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret)

The signature is used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way.

How Do JSON Web Tokens Work?

In authentication, when the user successfully logs in using their credentials, a JSON Web Token will be returned. Since tokens are credentials, it is important to keep them secure to prevent security issues. In general, you should not keep tokens longer than required.

Whenever the user wants to access a protected route or resource, the user agent should send the JWT, typically in the Authorization header using the Bearer schema. The content of the header should look like the following:

Authorization: Bearer <token>

This is a stateless authentication mechanism as the user state is never saved in server memory. The server's protected routes will check for a valid JWT in the Authorization header, and if it's present, the user will be allowed to access protected resources.

Why Should We Use JSON Web Tokens?

Compact

Because of their smaller size, JWTs can be sent through a URL, POST parameter, or inside an HTTP header. Additionally, due to the smaller size, transmission is fast.

Self-Contained

A JWT contains all the necessary information about an entity within itself, avoiding the need to query the database more than once. The payload can contain information about the user, the token's expiration time, the issuer, and more.

Secure

JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA. This ensures that the token hasn't been tampered with and that the sender is who they claim to be.

Common Use Cases for JWT

Authentication

This is the most common scenario for using JWT. Once the user is logged in, each subsequent request will include the JWT, allowing the user to access routes, services, and resources that are permitted with that token.

Information Exchange

JSON Web Tokens are a good way of securely transmitting information between parties. Because JWTs can be signed — for example, using public/private key pairs — you can be sure the senders are who they say they are. Additionally, as the signature is calculated using the header and the payload, you can also verify that the content hasn't been tampered with.

Conclusion

JSON Web Tokens are a powerful and flexible way to handle authentication and information exchange in modern web applications. By understanding the structure — Header, Payload, and Signature — and how they work together, you can build secure, stateless authentication systems. Try pasting a JWT into our free online JWT decoder to see its structure in action.