Internet Toolset

162+ Tools Comprehensive Tools for Webmasters, Developers & Site Optimization

JWT Decoder - Decode JSON Web Tokens Online

JWT Decoder

Decode and analyze JSON Web Tokens (JWT).

What is a JSON Web Token (JWT)?

A JSON Web Token (JWT) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. JWTs are widely used for authentication and authorization in modern web applications, APIs, and microservices architectures.

JWTs are self-contained tokens—they carry all the information needed to verify their authenticity and extract user data, eliminating the need for server-side session storage. This makes them ideal for stateless authentication in distributed systems.

JWT Structure

A JWT consists of three parts separated by dots (.):

eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header

Contains token type and signing algorithm.

{
  "alg": "HS256",
  "typ": "JWT"
}
Payload

Contains claims (user data and metadata).

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022
}
Signature

Verifies the token hasn't been tampered with.

HMACSHA256(
  base64(header) + "." +
  base64(payload),
  secret
)

Standard JWT Claims

The JWT specification defines several registered claims with specific meanings:

Claim Name Description
iss Issuer Who issued the token (e.g., your auth server URL)
sub Subject The subject of the token (usually user ID)
aud Audience Intended recipient(s) of the token
exp Expiration Time Unix timestamp when token expires
nbf Not Before Unix timestamp before which token is not valid
iat Issued At Unix timestamp when token was issued
jti JWT ID Unique identifier for the token

JWT Signing Algorithms

Symmetric Algorithms (HMAC)

  • HS256 - HMAC with SHA-256
  • HS384 - HMAC with SHA-384
  • HS512 - HMAC with SHA-512

Same secret key signs and verifies. Simpler but requires secure key sharing.

Asymmetric Algorithms (RSA/ECDSA)

  • RS256 - RSA with SHA-256
  • RS384 - RSA with SHA-384
  • RS512 - RSA with SHA-512
  • ES256 - ECDSA with SHA-256

Private key signs, public key verifies. Better for distributed systems.

How JWT Authentication Works

  1. Login: User sends credentials to authentication server
  2. Token Generation: Server validates credentials and generates JWT with user claims
  3. Token Storage: Client stores JWT (usually in localStorage or httpOnly cookie)
  4. API Requests: Client sends JWT in Authorization header: Bearer <token>
  5. Validation: Server validates signature and claims, then processes request
  6. Expiration: When token expires, user must re-authenticate or use refresh token

JWT Security Best Practices

Never create tokens without expiration. Short-lived tokens (15 minutes to 1 hour) limit the damage if a token is stolen. Use refresh tokens for longer sessions.

  • httpOnly cookies: Best protection against XSS (JavaScript can't access)
  • localStorage: Convenient but vulnerable to XSS attacks
  • sessionStorage: Cleared when tab closes; still XSS vulnerable

Always verify the algorithm matches what you expect. The infamous "alg: none" attack exploits servers that accept unsigned tokens. Never accept "alg": "none" in production.

For HMAC algorithms, use cryptographically random secrets at least 256 bits long. Weak secrets can be brute-forced to forge tokens.

JWT payloads are base64-encoded, not encrypted. Anyone can decode and read them. Never include passwords, credit cards, or other sensitive data in the payload.

JWT vs Sessions: When to Use Each

Factor JWT Server Sessions
Scalability Excellent - stateless Requires session store
Revocation Difficult - needs blocklist Easy - delete session
Storage Client-side Server-side
Microservices Great fit Needs shared store
Mobile Apps Works well Cookie handling issues
Security Note

This decoder cannot verify signatures because it doesn't have access to the secret key.

To verify a JWT's authenticity, you need the secret key (for HMAC) or public key (for RSA/ECDSA).

Common JWT Libraries
  • Node.js: jsonwebtoken
  • Python: PyJWT
  • Java: jjwt, auth0-java-jwt
  • Go: golang-jwt
  • Ruby: ruby-jwt
  • PHP: firebase/php-jwt
  • .NET: System.IdentityModel.Tokens.Jwt
Related Tools