๐Ÿ” JWT Decoder

Decode and validate JWT (JSON Web Token) tokens online. View header, payload, and signature. Check expiration and claims.

Enter a JWT token to decode (header.payload.signature)

What is a JWT Token?

JWT (JSON Web Token) is a compact, URL-safe token format used for securely transmitting information between parties. A JWT consists of three parts separated by dots: header, payload, and signature.

JWTs are commonly used for authentication and authorization in web applications and APIs. They allow stateless authentication, meaning the server doesn't need to store session information.

JWT Structure

1. Header

Contains metadata about the token, including the algorithm used for signing:

{
  "alg": "HS256",
  "typ": "JWT"
}

2. Payload

Contains the claims (data) about the user and additional metadata:

{
  "sub": "1234567890",
  "name": "John Doe",
  "iat": 1516239022,
  "exp": 1516242622
}

3. Signature

Used to verify that the token hasn't been tampered with. Created by encoding the header and payload and signing with a secret key.

Common JWT Claims

iss (Issuer): Who issued the token
sub (Subject): The subject of the token (usually user ID)
aud (Audience): Who the token is intended for
exp (Expiration): Token expiration timestamp
iat (Issued At): When the token was issued
nbf (Not Before): Token not valid before this timestamp
jti (JWT ID): Unique identifier for the token

Security Best Practices

  • โœ“Expiration: Always set reasonable expiration times for tokens to limit exposure if compromised.
  • โœ“Secret Keys: Use strong, randomly generated secret keys and never expose them in client-side code.
  • โœ“HTTPS: Always transmit JWTs over HTTPS to prevent interception.
  • โœ“Validation: Always validate token signature, expiration, and claims on the server side.