A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object.

Is it safe to decode JWTs online?

This tool decodes JWTs entirely in your browser using JavaScript. Your token data is never sent to our servers, making it safe for debugging non-sensitive tokens.

Can I see the password in a JWT?

No, JWTs should never contain passwords or sensitive secrets. They are typically encoded (Base64Url), not encrypted, meaning anyone who has the token can read the data.

What are the three parts of a JWT?

A JWT consists of three parts separated by dots: the Header (algorithm and token type), the Payload (data/claims), and the Signature (verification).

How is a JWT signature verified?

The signature is created by taking the encoded header and payload, and signing them using a secret key or a private key with the algorithm specified in the header.

Free JWT Decoder - Online JSON Web Token Debugger & Explainer

Understanding JSON Web Tokens (JWT)

JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. The claims in a JWT are encoded as a JSON object that is used as the payload of a JSON Web Signature (JWS) structure or as the plaintext of a JSON Web Encryption (JWE) structure, enabling the claims to be digitally signed or integrity protected with a Message Authentication Code (MAC) and/or encrypted.

How a JWT is Structured

In its compact form, JSON Web Tokens consist of three parts separated by dots (.), which are:

Header: Typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 or RSA.
Payload: Contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims.
Signature: To create the signature part you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that.

The Formula Behind JWT

The output is typically three Base64-URL strings separated by dots. The structure looks like this:

base64UrlEncode(header) + "." + base64UrlEncode(payload) + "." + signature

To create the signature:

HMACSHA256(
  base64UrlEncode(header) + "." +
  base64UrlEncode(payload),
  secret
)

What are Claims?

Claims are the "meat" of the JWT. Common registered claims include:

iss (Issuer): Identifies the principal that issued the JWT.
sub (Subject): Identifies the principal that is the subject of the JWT.
aud (Audience): Identifies the recipients that the JWT is intended for.
exp (Expiration Time): Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing.
iat (Issued At): Identifies the time at which the JWT was issued.

Practical Example

Imagine a user logs into a service. The server validates the credentials and returns a JWT. The payload might look like this:

{
  "sub": "1234567890",
  "name": "John Doe",
  "admin": true,
  "iat": 1516239022
}

The client stores this token (often in LocalStorage or a Cookie) and sends it in the Authorization header using the Bearer schema for subsequent requests. The server simply checks the signature to verify the user's identity without hitting the database for every single request.

Security Best Practices

Do Not Store Sensitive Data: JWTs are encoded, not encrypted. Anyone who intercepts the token can read your payload. Never store passwords, SSNs, or private keys in the payload.
Validate the Algorithm: Always enforce the expected algorithm on the server side to prevent "alg: none" attacks.
Use HTTPS: Always transmit tokens over encrypted connections to prevent man-in-the-middle attacks.
Keep Secrets Secret: If using HMAC, ensure your secret key is long, complex, and stored securely.
Short Expiration: Set a reasonable expiration time to limit the window of opportunity if a token is stolen.

Common Mistakes to Avoid

Ignoring Expiration: Not checking the exp claim on the server.
Storing Tokens in LocalStorage: While common, this makes them vulnerable to XSS. HttpOnly cookies are often a more secure alternative for web apps.
Using Weak Keys: Using "password" or "secret" as your signing key makes it trivial to brute-force and forge tokens.

Frequently Asked Questions

Is JWT the same as OAuth2?

No. OAuth2 is an authorization framework, while JWT is a token format. OAuth2 can use JWTs as access tokens, but it isn't required to.

Can I revoke a JWT?

By design, JWTs are stateless and hard to revoke before they expire. To revoke them, you usually need a "blacklist" or "revocation list" stored in a fast database like Redis.

What is Base64Url encoding?

It is a variation of Base64 that replaces + with -, / with _, and removes the padding = characters to make the string safe for URLs.

Why is my JWT not decoding?

Ensure it has exactly two dots and that it follows the standard format. Sometimes hidden characters or extra spaces can break the decoding process.

Is this tool safe?

Yes. This decoder runs entirely in your browser. We do not transmit your token to any server. You can even use it offline once the page is loaded.