JWTDecoder

Secure, client-side decoding for JSON Web Tokens. Privacy first.

Encoded Token

Paste your Base64 encoded token string below.

Decoding happens entirely in your browser

Awaiting JWT Input

Paste a token on the left to analyze its contents.

Decode and Inspect JWT Tokens Online

A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. Defined by RFC 7519, JWTs are commonly used in modern web applications for stateless authentication and authorization. The information within a JWT is digitally signed using a cryptographic algorithm, ensuring its integrity and authenticity.

JWT (JSON Web Token) is an open standard that allows secure data exchange between a client and a server. Because they are self-contained, JWTs hold all the necessary information about a user, avoiding the need to query a database repeatedly for session state. This makes them highly scalable for microservices and APIs.

JWT Structure Explained

A standard JWT consists of three parts separated by dots (.): Header, Payload, and Signature.

xxxxx.yyyyy.zzzzz

Header

The header typically consists of two parts: the type of the token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.

{
  "alg": "HS256",
  "typ": "JWT"
}

Payload

The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data.

{
  "sub": "123456",
  "name": "John Doe",
  "iat": 1710000000
}

There are three types of claims: registered (standard claims like exp or sub), public, and private claims.

Signature

To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. This provides integrity validation, tamper detection, and secure authentication.

How JWT Authentication Works

Login: The user provides credentials (username/password) to the authentication server.
Generation: The server verifies the credentials and creates a signed JWT.
Storage: The client stores the JWT locally (often in localStorage, sessionStorage, or an HttpOnly cookie).
Transmission: For subsequent requests, the client sends the JWT in the Authorization header using the Bearer schema.
Validation: The server decodes and verifies the signature of the token to authenticate the request before responding.

Common JWT Claims

Claim	Meaning
iss	Issuer of the token
sub	Subject (usually the user ID)
aud	Audience (intended recipient)
exp	Expiration time (UNIX timestamp)
nbf	Not Before time
iat	Issued At time
jti	JWT ID (unique identifier)

JWT Algorithms Explained

JWTs support multiple algorithms for signing. The differences mainly revolve around symmetric versus asymmetric cryptography:

HS256, HS384, HS512: Symmetric algorithms (HMAC). They use a single shared secret key for both creating and verifying the token signature.
RS256, RS384, RS512: Asymmetric algorithms (RSA). They use a private key to sign the token and a public key to verify it. This is more secure for distributed systems where multiple microservices need to verify the token without knowing the signing key.

JWT Decoder vs JWT Verification

Decoding

Decoding simply reads the Base64Url encoded contents of the token. It requires no secret or public key. Our JWT decoder allows you to inspect the payload, but decoding does not validate authenticity.

Verification

Verification involves recalculating the signature using the algorithm and the secret/public key, then comparing it to the token's signature. This guarantees the token was not tampered with.

Competitive Comparisons & Deep Dives

JWT vs Session Authentication

While sessions store state on the server (usually requiring a database lookup per request), JWTs are stateless. All required data is encapsulated within the token itself, making JWTs more scalable and reducing server memory overhead.

JWT vs OAuth

OAuth is an authorization framework, whereas JWT is a token format. They are often used together: OAuth defines the flows for acquiring tokens, and the resulting access tokens are frequently formatted as JWTs (especially in OpenID Connect).

JWT vs Cookies

Cookies are a transport mechanism, while JWTs are a payload format. A JWT can be stored inside an HttpOnly cookie to enhance security against Cross-Site Scripting (XSS) attacks while still benefiting from stateless properties.

Common JWT Use Cases

AuthenticationSingle Sign-On (SSO)APIsOAuthOpenID ConnectSession ManagementMicroservices

JWT Security Best Practices

Token Expiration: Always use short-lived tokens and implement the exp claim to limit the window of opportunity if a token is stolen.
HTTPS Only: Only transmit tokens over encrypted HTTPS connections to prevent interception (Man-in-the-Middle attacks).
Signature Verification: Your backend must strictly verify the signature before trusting any payload data.
Secret Management: Store symmetric secrets securely (e.g., environment variables, secret managers) and rotate them regularly.
Browser-Side Privacy: Use our local decoding tool to inspect tokens without sending sensitive payloads over the network.

Frequently Asked Questions

What is a JWT token?

A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

What does JWT stand for?

JWT stands for JSON Web Token. It is commonly used for authorization and secure information exchange in modern web applications and APIs.

How do I decode a JWT token?

You can decode a JWT token by pasting it into a JWT decoder tool. The tool will parse the three Base64Url encoded parts (Header, Payload, Signature) and display the decoded JSON data.

Does decoding a JWT verify its authenticity?

No. Decoding a JWT simply reads its contents. It does not verify the signature. To verify a JWT, you need the secret key or public key that was used to sign it.

What is the difference between JWT decoding and verification?

Decoding a JWT translates the Base64Url encoded string back into a readable JSON format, requiring no keys. Verification involves mathematically checking the token's signature using a secret or public key to ensure it hasn't been tampered with.

What are JWT claims?

JWT claims are pieces of information asserted about a subject. They are located in the payload section of the token and include standard fields like 'iss' (issuer), 'exp' (expiration), and 'sub' (subject), as well as custom data.

Is it safe to decode JWT tokens online?

Yes, if you use a secure, browser-based tool like this one. Since the decoding happens entirely on your device using JavaScript, the token is never sent to a server, ensuring privacy.

What does the exp claim mean?

The 'exp' (expiration time) claim identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. It is defined as a UNIX timestamp.

Which JWT algorithms are most common?

The most common algorithms are HS256 (HMAC with SHA-256), a symmetric algorithm, and RS256 (RSA Signature with SHA-256), an asymmetric algorithm.

Does this JWT Decoder process tokens locally?

Yes, all processing and decoding happens directly in your browser. No data is uploaded to our servers, keeping your tokens completely private and secure.

Explore More Tools

Enhance your workflow by exploring our suite of specialized developer utilities. Beyond JWT decoding, Unixly offers tools to help you Format JSON data, securely Encode Base64 strings, and Generate UUIDs for your next big project. You can also Test regular expressions for complex pattern matching, or Convert UNIX timestamps seamlessly.