JWT Decoder & Debugger

What is a JWT (JSON Web Token)?

JSON Web Token (JWT) is an open standard (RFC 7519) that defines a compact and self-contained way for securely transmitting information between parties as a JSON object. JWTs are commonly used for authentication and information exchange in modern web applications, mobile apps, and APIs. A JWT consists of three parts: Header, Payload, and Signature, separated by dots (.).

JWT Structure

Common Use Cases for JWT

• Authentication: User login sessions and identity verification
• Authorization: Access control and permission management
• Single Sign-On (SSO): Cross-domain authentication
• API Security: Secure REST API endpoints with bearer tokens
• OAuth 2.0: Third-party authorization flows
• Microservices: Stateless authentication between services
• Mobile Apps: Secure mobile application authentication
• Information Exchange: Securely transmit data between parties
• Password Reset: Time-limited password reset tokens
• Email Verification: Verify email addresses with tokens

JWT Components Explained

{
  "alg": "HS256",
  "typ": "JWT"
}

{
  "sub": "1234567890",
  "name": "John Doe",
  "email": "[email protected]",
  "iat": 1516239022,
  "exp": 1735067822,
  "roles": ["user", "admin"]
}

HMACSHA256(
  base64UrlEncode(header) + "." + base64UrlEncode(payload),
  secret
)

Standard JWT Claims

• iss (Issuer): Who created and signed the token
• sub (Subject): Who the token is about (usually user ID)
• aud (Audience): Who the token is intended for
• exp (Expiration Time): When the token expires (Unix timestamp)
• nbf (Not Before): Time before which the token must not be accepted
• iat (Issued At): When the token was created (Unix timestamp)
• jti (JWT ID): Unique identifier for the token

Supported Algorithms

Features

• Instant Decoding: Decode JWT tokens in real-time
• Pretty Formatting: View header and payload in formatted JSON
• Expiration Check: Automatically detect expired tokens
• Claims Analysis: Parse and display standard JWT claims
• Algorithm Detection: Identify signing algorithm used
• Copy Functions: Easily copy header or payload separately
• Privacy Focused: All decoding happens in your browser
• No Server Required: Pure client-side Base64 decoding
• Color Coding: Visual distinction between token parts
• Time Conversion: Convert Unix timestamps to readable dates

JWT Security Best Practices

• Always use HTTPS to transmit JWTs to prevent interception
• Keep the secret key secure and never expose it in client-side code
• Set appropriate expiration times (exp claim) - shorter is more secure
• Use strong signing algorithms (HS256, RS256, or better)
• Validate tokens on every request in your backend
• Don't store sensitive data in the payload - it's only Base64 encoded, not encrypted
• Implement token refresh mechanisms for better security
• Use the aud claim to ensure tokens are used by intended recipients
• Consider using JWE (JSON Web Encryption) for sensitive data
• Store JWTs in httpOnly cookies rather than localStorage to prevent XSS attacks

Code Examples

const jwt = require('jsonwebtoken');

// Create JWT
const token = jwt.sign(
  { userId: 123, email: '[email protected]' },
  'your-secret-key',
  { expiresIn: '1h' }
);

// Verify JWT
const decoded = jwt.verify(token, 'your-secret-key');
console.log(decoded);

import jwt
from datetime import datetime, timedelta

# Create JWT
payload = {
    'user_id': 123,
    'email': '[email protected]',
    'exp': datetime.utcnow() + timedelta(hours=1)
}
token = jwt.encode(payload, 'your-secret-key', algorithm='HS256')

# Decode JWT
decoded = jwt.decode(token, 'your-secret-key', algorithms=['HS256'])
print(decoded)

use Firebase\JWT\JWT;
use Firebase\JWT\Key;

// Create JWT
$payload = [
    'user_id' => 123,
    'email' => '[email protected]',
    'exp' => time() + 3600
];
$token = JWT::encode($payload, 'your-secret-key', 'HS256');

// Decode JWT
$decoded = JWT::decode($token, new Key('your-secret-key', 'HS256'));
print_r($decoded);

Frequently Asked Questions