JWT Decoder - Decode, Verify & Analyze JSON Web Tokens
A powerful online tool to decode, verify, and analyze JWTs. Paste a token to inspect its contents, check its expiration, find security pitfalls, and verify its signature. Essential for developers working with token-based authentication.
Encoded Token
Decoded & Analyzed
Header
Payload
Verify Signature
Token Analysis
Interactive Analysis & Security Insights
A simple decoder is useful, but a truly great developer tool helps you build more secure and robust applications. Our JWT Decoder goes beyond basic verification by providing instant, automated analysis of your tokens. This helps you catch common mistakes and understand the lifecycle of your tokens at a glance.
Automatic Expiration Checking
The exp (expiration) claim is one of the most important security features of a JWT. It defines the exact time after which a token must not be accepted. Our tool automatically parses this claim and tells you not only if the token is valid or expired, but also by how much time. This immediate feedback can save hours of debugging "invalid token" errors that are simply due to clock skew or an expired token.
Security Pitfall Detection
There are several common ways to misconfigure a JWT that can lead to serious security vulnerabilities. Our analyzer actively checks for these issues:
- Unsecured Tokens (`alg: 'none'`): We immediately flag tokens that use the 'none' algorithm. These tokens are not signed and offer no security, as anyone can create them. This setting should never be allowed in a production environment.
- Missing Expiration Claim: A token without an expiration date can potentially be used forever if stolen. We'll warn you if the
expclaim is missing so you can enforce better security practices.
What is a JWT? A Developer's Guide
JSON Web Token (JWT), pronounced "jot", is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. This information can be verified and trusted because it is digitally signed. JWTs can be signed using a secret (with the HMAC algorithm) or a public/private key pair using RSA or ECDSA.
The Structure of a JSON Web Token
A JWT is not encrypted, but rather encoded. It consists of three distinct parts, separated by dots (.), which are the Header, Payload, and Signature. Our tool visually separates these three parts with color-coding, making it easy to see the structure at a glance.
- Header: The header typically consists of two parts: the type of the token, which is JWT, and the signing algorithm being used, such as HMAC SHA256 (HS256) or RSA. This JSON is Base64Url encoded to form the first part of the JWT.
- Payload: The payload contains the claims. Claims are statements about an entity (typically, the user) and additional data. There are three types of claims: registered, public, and private claims. This JSON is Base64Url encoded to form the second part of the JWT.
- Signature: To create the signature part, you have to take the encoded header, the encoded payload, a secret, the algorithm specified in the header, and sign that. The signature is used to verify the message wasn't changed along the way, and, in the case of tokens signed with a private key, it can also verify that the sender of the JWT is who it says it is.
Common Claims in the Payload
While you can include any data you want in the payload, the JWT standard defines several registered claim names that are recommended to provide a set of useful, interoperable claims.
| Claim | Name | Description |
|---|---|---|
| iss | Issuer | Identifies the principal that issued the JWT. |
| sub | Subject | Identifies the principal that is the subject of the JWT. |
| aud | Audience | Identifies the recipients that the JWT is intended for. |
| exp | Expiration Time | Identifies the expiration time on or after which the JWT MUST NOT be accepted for processing. |
| iat | Issued At | Identifies the time at which the JWT was issued. |
| jti | JWT ID | Provides a unique identifier for the JWT. |
Why is Signature Verification Critical?
The signature is the most critical part of a JWT for ensuring security. Since the header and payload are just Base64Url encoded, anyone can decode them and read their contents. The signature ensures data integrity.
When your server receives a JWT from a client, it must verify the signature. This process involves re-calculating the signature using the header, payload, and the secret key (which is known only to the server). If the calculated signature matches the signature on the token, the server knows two things:
- Authenticity: The token was created by a trusted party that holds the secret.
- Integrity: The header and payload have not been tampered with since the token was created.
Failing to verify the signature, or using a weak secret, can lead to severe security vulnerabilities, allowing attackers to forge tokens and gain unauthorized access to your application.
