JWT Decoder
Decode, validate, and inspect JSON Web Tokens (JWT). View header, payload, and signature details instantly.
"I was debugging an authentication issue for hours. Then I decoded the JWT with this tool and saw the token had expired. Fixed in 5 minutes. Every developer needs a JWT decoder in their toolkit."
โ Priya S., Full Stack Developer
JWT Decoder & Validator
Paste your JWT token below to decode and inspect
What is JWT (JSON Web Token)?
JWT (JSON Web Token) is an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. It's digitally signed so it can be verified and trusted.
- ๐ Stateless Authentication: No server-side session storage needed
- ๐ฆ Self-Contained: Contains all user information within the token
- ๐ Cross-Platform: Works with any programming language
- โฑ๏ธ Expiration Control: Tokens expire automatically for security
- ๐ Tamper-Proof: Signatures ensure token hasn't been altered
JWT Structure: Three Parts
HEADER.PAYLOAD.SIGNATURE Example: eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9. eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ. SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Header
Contains: Token type (JWT) and signing algorithm (HS256, RS256)
Example: {"alg": "HS256", "typ": "JWT"}
Payload
Contains: Claims (user data, permissions, expiration)
Example: {"sub": "123", "name": "John", "exp": 1516239022}
Signature
Purpose: Verifies token hasn't been tampered with
Created by: Signing (header + payload) with secret key
Common JWT Claims (Standard Fields)
| Claim | Full Name | Description |
|---|---|---|
iss |
Issuer | Identifies who issued the token |
sub |
Subject | Identifies the user (often user ID) |
aud |
Audience | Identifies recipients of the token |
exp |
Expiration Time | UNIX timestamp when token expires |
nbf |
Not Before | Token not valid before this time |
iat |
Issued At | Time token was issued |
jti |
JWT ID | Unique identifier for the token |
JWT Security Best Practices
Use Short Expiration Times
Set exp to 15-60 minutes for access tokens. Use refresh tokens for longer sessions. Short-lived tokens reduce damage if compromised.
Store Secrets Securely
Never hardcode secrets in client-side code. Use environment variables for HS256. Use RS256 with private/public keys for added security.
Validate All Claims
Always validate iss, aud, exp, and nbf claims. Don't trust unverified claims. Use strict validation in your auth middleware.
Use HTTPS Only
Always transmit JWTs over HTTPS. Never send tokens over unencrypted HTTP. Tokens can be intercepted in transit otherwise.
Don't Store Sensitive Data
JWTs are base64 encoded, not encrypted. Anyone can decode and read the payload. Never store passwords or credit cards in JWT.
Implement Token Blacklisting
For logout functionality, maintain a blacklist of revoked tokens. Check blacklist before accepting any token.
How to Generate JWT in Different Languages
const jwt = require('jsonwebtoken');
const token = jwt.sign(
{ userId: 123, role: 'admin' },
'secret_key',
{ expiresIn: '1h' }
);
import jwt
payload = {'userId': 123, 'role': 'admin'}
token = jwt.encode(payload, 'secret_key', algorithm='HS256')
String token = Jwts.builder()
.setSubject("123")
.claim("role", "admin")
.signWith(SignatureAlgorithm.HS256, "secret_key")
.compact();
use Firebase\JWT\JWT; $payload = ['userId' => 123, 'role' => 'admin']; $token = JWT::encode($payload, 'secret_key', 'HS256');
payload = { userId: 123, role: 'admin' }
token = JWT.encode payload, 'secret_key', 'HS256'
token := jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims{
"userId": 123,
"role": "admin",
})
tokenString, _ := token.SignedString([]byte("secret_key"))
Frequently Asked Questions
Working with JWT tokens regularly?
Bookmark this decoder for quick inspection and debugging of your authentication tokens.