JWT Decoder
Decode JSON Web Tokens and view header and payload.
JSON Web Token (JWT): Complete guide for developers
A JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and secure method of transmitting information between parties as a JSON object. JWTs are widely used in authentication and authorization for modern web applications, REST APIs, and microservice architectures. Each token contains verifiable information about the user's identity and permissions.
A JWT consists of three parts encoded in Base64URL and separated by dots: Header (algorithm and token type), Payload (data or "claims" such as user ID, roles, and expiration date), and Signature (cryptographic signature that verifies the token hasn't been tampered with). This tool decodes the first two parts for visual inspection.
Practical use cases
API debugging: When your API returns a 401 or 403 error, decode the JWT to verify if the token has expired, if the roles are correct, or if the payload contains the expected data.
Frontend development: Inspect the JWT stored in localStorage or cookies to verify that user information, permissions, and expiration date are correct.
Security testing: Verify that your JWT doesn't contain sensitive information (passwords, personal data) in the payload, since it's readable by anyone without the secret key.
Frequently asked questions
Is decoding a JWT the same as verifying it?
No. Decoding simply reads the Header and Payload content (anyone can do it). Verifying involves checking the cryptographic signature with the secret key to ensure the token is authentic and hasn't been modified. This tool only decodes, it doesn't verify.
What are payload "claims"?
Claims are statements about the entity (user) and additional metadata. Registered claims include: iss (issuer), exp (expiration), iat (issued at), sub (subject). Custom claims are your application data like roles, email, or permissions.
Is the "none" algorithm safe in JWT?
No, never. The "none" algorithm allows creating tokens without a signature, meaning anyone can forge valid tokens. Make sure your server always rejects tokens with the "none" algorithm and uses HS256 or RS256 as a minimum.
Where should I store the JWT on the frontend?
HttpOnly cookies are the most secure option (protected against XSS). localStorage is simpler but vulnerable to XSS. sessionStorage is similar but gets cleared when closing the tab. Never store JWTs in global variables accessible by third-party scripts.
JWT structure
| Part | Content | Example |
|---|---|---|
| Header | Algorithm and type | {"alg": "HS256", "typ": "JWT"} |
| Payload | User claims | {"sub": "123", "exp": 1700000000} |
| Signature | Cryptographic signature | HMACSHA256(base64(header) + "." + base64(payload), secret) |