JWT Decoder
Decode and inspect JSON Web Tokens. View the header, payload, and signature. Check expiration and algorithm details.
About JWT
JSON Web Tokens (JWT) are used for authentication and information exchange. A JWT contains three parts:
- Header - Algorithm and token type
- Payload - Claims (user data, expiration, etc.)
- Signature - Verifies the token wasn't tampered with
What is a JWT?
A JSON Web Token (JWT, pronounced “jot”) is a compact, URL-safe way to represent claims between two parties. JWTs are commonly used for authentication - after you log in, the server gives you a JWT that you include with subsequent requests to prove your identity.
A JWT looks like this:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5cJWT structure
A JWT has three parts separated by dots:
Header - Algorithm and token type:
{
"alg": "HS256",
"typ": "JWT"
}Payload - The claims (user data):
{
"sub": "1234567890",
"name": "John Doe",
"iat": 1516239022
}Signature - Verifies the token wasn’t tampered with.
Each part is Base64URL encoded, making the token safe for URLs.
Standard JWT claims
| Claim | Name | Description |
|---|---|---|
iss | Issuer | Who created the token |
sub | Subject | Who the token is about |
aud | Audience | Who the token is for |
exp | Expiration | When the token expires (timestamp) |
nbf | Not Before | Token not valid before this time |
iat | Issued At | When the token was created |
jti | JWT ID | Unique token identifier |
JWT algorithms
Symmetric (shared secret):
HS256- HMAC with SHA-256HS384- HMAC with SHA-384HS512- HMAC with SHA-512
Asymmetric (public/private key):
RS256- RSA with SHA-256RS384- RSA with SHA-384RS512- RSA with SHA-512ES256- ECDSA with P-256ES384- ECDSA with P-384ES512- ECDSA with P-521
Avoid none - Tokens with algorithm none have no signature verification. Never accept them in production.
JWT security considerations
JWTs are not encrypted - Anyone can decode and read a JWT. Never include sensitive data like passwords.
Always verify the signature - Don’t trust a JWT’s contents without verifying the signature with the correct key.
Check expiration - Always validate the exp claim. Reject expired tokens.
Use short expiration times - JWTs can’t be revoked, so keep them short-lived (minutes to hours).
Validate the issuer and audience - Ensure the token is from who you expect and meant for you.
Common JWT mistakes
Storing sensitive data:
// Don't do this
{
"userId": 123,
"password": "secret123", // Never!
"creditCard": "4111..." // Never!
}Not verifying before trusting:
// Wrong - trusts without verification
const payload = JSON.parse(atob(token.split('.')[1]));
if (payload.admin) grantAccess(); // Dangerous!Ignoring algorithm:
// Attacker sends alg: "none"
// Server must reject tokens with algorithm "none"How this tool works
Paste a JWT to decode and inspect its header and payload. The tool shows expiration status, algorithm information, and formatted timestamps. Note: This tool decodes but does not verify signatures (that requires the secret key). Powered by a QuantCDN Edge Function.