Understanding JSON Web Tokens (JWT)
JSON Web Tokens (JWT) are a compact, URL-safe means of representing claims between two parties. They consist of three parts: a header containing the algorithm and token type, a payload containing claims (user data), and a signature for verification.
JWTs are widely used for authentication and authorization in modern web applications, especially with RESTful APIs. They enable stateless authentication where the server doesn't need to store session information.
JWT Structure
- Header: Contains the token type (JWT) and signing algorithm (HS256, RS256, etc.)
- Payload: Contains claims - statements about the user and additional metadata
- Signature: Ensures the token hasn't been altered; created using the header, payload, and a secret key
How to Decode a JWT
Step 1: Obtain Your JWT
Get your JWT from your authentication system, browser cookies, localStorage, or API response headers (Authorization: Bearer token).
Step 2: Paste and Decode
Paste the complete JWT token in the input field and click "Decode JWT". The tool will parse all three parts and display them in a readable format.
Step 3: Analyze the Results
Review the decoded header for algorithm information, the payload for user claims and permissions, and check the expiration status. Note that signature verification requires the secret key.
Common JWT Claims
- iss (Issuer): Who issued the token
- sub (Subject): User identifier
- aud (Audience): Intended recipient
- exp (Expiration): When the token expires
- iat (Issued At): When the token was issued
- nbf (Not Before): Token not valid before this time
JWT Use Cases
Authentication & Authorization
The most common use case. After login, each subsequent request includes the JWT, allowing access to routes, services, and resources permitted by that token.
Single Sign-On (SSO)
JWTs enable SSO across multiple domains and applications. Users authenticate once and can access multiple services without re-authenticating.
API Security
Secure API endpoints by requiring valid JWTs. Include roles and permissions in the token payload for fine-grained access control.
Microservices Communication
JWTs facilitate secure communication between microservices without additional authentication roundtrips, enabling efficient service-to-service authorization.
Frequently Asked Questions
Q: Is it safe to decode JWTs online?
A: Yes, when using client-side tools like this one. The decoding happens entirely in your browser - no data is sent to any server. The payload is only Base64 encoded, not encrypted, so anyone with the token can read it anyway.
Q: Can this tool verify JWT signatures?
A: This tool decodes and displays the signature but cannot verify it without the secret key. Signature verification should be done server-side with the appropriate secret or public key.
Q: Why is my token showing as expired?
A: The 'exp' claim contains a Unix timestamp. If the current time exceeds this value, the token is expired. Check the expiration time displayed and compare with the current time.
Q: What's the difference between HS256 and RS256?
A: HS256 uses a symmetric secret (same key for signing and verification), while RS256 uses asymmetric keys (private key for signing, public key for verification). RS256 is preferred for distributed systems.