The Ultimate Guide to JWT (JSON Web Tokens)
In the modern web, secure authentication is critical. JSON Web Tokens (JWT) have become the industry standard for securely transmitting information between parties as a JSON object. Our JWT Decoder helps developers inspect and debug these tokens instantly without sending them to a server.
[Image of JWT structure diagram]What is a JWT?
A JWT is a compact, URL-safe means of representing claims to be transferred between two parties. It consists of three parts separated by dots (`.`):
1. Header
Contains the type of token (JWT) and the signing algorithm being used, such as HMAC SHA256 or RSA.
2. Payload
Contains the "claims". Claims are statements about an entity (typically, the user) and additional data like expiry (`exp`).
3. Signature
Used to verify that the message wasn't changed along the way. It requires a secret key known only to the server.
Common JWT Claims
When you decode a payload, you might see these cryptic keys:
- sub (Subject): Whom the token refers to (usually User ID).
- iss (Issuer): Who created the token (e.g., auth.google.com).
- exp (Expiration Time): Timestamp when the token expires. Our tool automatically converts this to a readable date.
- iat (Issued At): Timestamp when the token was created.
Security Warning ⚠️
Never paste your Private Key or Secret Key here. While our tool processes everything client-side (in your browser), it is best practice to never expose secrets in any frontend tool.
Also, remember that JWTs are Base64 encoded, not encrypted. This means anyone who gets your token can read the payload (like user ID and email). Never put sensitive information like passwords or credit card numbers inside the JWT payload.
Why use this tool?
- Debugging: Quickly check if your backend is sending the correct user data.
- Expiry Check: Wondering why your login session ended? Paste the token here to see if it has expired.
- Format Validation: Ensure your token structure is valid before sending it to an API.