What is a JSON Web Token (JWT)?
A JSON Web Token (JWT) is a compact, URL-safe means of representing claims to be transferred between two parties. It is widely used in modern web development for authentication and authorization. Our JWT Decoder allows you to instantly inspect the contents of any JWT right in your browser, without compromising your token's security.
Structure of a JWT
A typical JWT consists of three parts separated by dots (.). The decoder automatically parses the first two parts:
| Part | Description | Decoded by this tool? |
|---|---|---|
| Header | Contains metadata about the type of token and the cryptographic algorithms used (e.g., HMAC SHA256 or RSA). | Yes |
| Payload (Claims) | Contains the actual statements (claims) about an entity, such as user ID, role, and token expiration time. | Yes |
| Signature | Used to verify that the sender of the JWT is who it says it is and to ensure that the message wasn't changed along the way. | No |
Best Practices for using JWTs
- Do not store sensitive data: JWTs are Base64 encoded, not encrypted. Anyone who gets hold of the token can easily decode and read the payload data using this exact tool.
- Keep expiration times short: Use short-lived access tokens and longer-lived refresh tokens to minimize the risk if a token is compromised.
- Verify signatures on the server: Always verify the token's signature on your backend using a strong, well-kept secret or private key before trusting any claims.