Paste a JWT token below to decode and inspect its contents. All processing happens in your browser - your token is never sent to a server.
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. JWTs are commonly used for authentication and authorization in web applications and APIs. The token is digitally signed, which allows the recipient to verify that the token hasn't been tampered with.
A JWT consists of three parts separated by dots (.):
Contains metadata about the token, including the type (JWT) and the signing algorithm being used (such as HMAC SHA256 or RSA).
Contains the claims - statements about an entity (typically the user) and additional data. Claims can include standard registered claims like exp (expiration), iat (issued at), and custom claims.
Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. The signature is created using the header, payload, and a secret key.
Identifies the expiration time on or after which the JWT must not be accepted for processing. This helps ensure that tokens have a limited lifetime.
Identifies the time at which the JWT was issued. This can be used to determine the age of the JWT.
Identifies the time before which the JWT must not be accepted for processing.
Identifies the principal that issued the JWT.
Identifies the principal that is the subject of the JWT (often the user ID).
Identifies the recipients that the JWT is intended for.
Using the JWT Decoder tool is simple:
This tool is completely client-side. All JWT decoding happens in your browser using JavaScript. Your tokens are never sent to any server, ensuring your security and privacy. You can even use this tool offline once the page is loaded.
However, remember that JWTs are only encoded, not encrypted. Anyone with access to a JWT can decode it and read its contents. This is why you should never store sensitive information like passwords in JWT payloads. The signature ensures the token hasn't been modified, but it doesn't hide the contents.
After a user logs in, a JWT can be issued and sent with subsequent requests to verify the user's identity without requiring the server to maintain session state.
JWTs can securely transmit information between parties because they can be signed, allowing you to verify the sender and ensure the message hasn't been tampered with.
JWTs are commonly used in REST APIs to authorize access to protected resources.
Set appropriate expiration times to limit the window of opportunity if a token is compromised.
Always transmit JWTs over HTTPS to prevent interception.
Store JWTs securely in your application, avoiding localStorage when possible. Consider using httpOnly cookies for sensitive applications.
Always validate JWTs on the server side, checking the signature, expiration, and any custom claims.
Remember that JWTs can be decoded by anyone, so avoid storing sensitive information in the payload.
This tool is particularly useful for developers who need to: