JWT Decoder
Decode and inspect JSON Web Tokens (JWT) to understand their contents and claims.
About JWTs
JSON Web Tokens (JWTs) are an open standard (RFC 7519) for securely transmitting information between parties as a JSON object. They are commonly used for authentication and authorization in web applications and APIs.
JWT Structure
A JWT consists of three parts separated by dots (.):
- Header - Contains metadata about the token, such as the type and signing algorithm
- Payload - Contains the claims (statements about the user) and additional data
- Signature - Ensures the token hasn't been altered after being issued
Common JWT Claims
iss(Issuer) - Who issued the tokensub(Subject) - Who the token refers toaud(Audience) - Who the token is intended forexp(Expiration Time) - When the token expiresnbf(Not Before) - When the token starts being validiat(Issued At) - When the token was issuedjti(JWT ID) - Unique identifier for the token
JWT Security Considerations
- Never store sensitive information in a JWT payload as it can be decoded easily
- Always use HTTPS when transmitting JWTs to prevent token theft
- Set appropriate expiration times for your JWTs to minimize risk if compromised
- Consider using refresh tokens alongside JWTs for better security
- Validate tokens on the server side before trusting the claims they contain
Note
This tool only decodes JWTs for inspection and does not verify the cryptographic signature. In production systems, always verify JWT signatures before trusting their contents.