JWT Decoder
JWT Decoder
JWTs are widely used for stateless authentication in web apps and APIs. Decoding a JWT lets you inspect its claims - useful for debugging auth flows, checking expiration, and understanding token contents.
Conversion Formula
Each section is Base64url-encoded (using - and _ instead of + and /). The signature covers header + "." + payload, signed with the secret or private key.
Step-by-Step Examples
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIn0.signature = Header: {"alg":"HS256","typ":"JWT"}, Payload: {"sub":"1234567890"}
Classic minimal JWT
History
JWT was proposed in 2010 and standardized as RFC 7519 in 2015. It replaced older approaches like SAML tokens with a lighter, URL-friendly format suitable for REST APIs.
Common Use Cases
- Debugging auth tokens
- Checking token expiration
- Inspecting OAuth2/OIDC tokens
- API development
- Security audits
Frequently Asked Questions
What is a JWT?
JSON Web Token - a compact, URL-safe way to represent claims between parties. Commonly used for authentication. Three parts: header, payload, and signature, separated by dots.
Is decoding the same as verifying?
No. Decoding just reads the Base64-encoded content. Verification checks the cryptographic signature to confirm the token was issued by a trusted authority and was not tampered with.
What is the JWT structure?
Header (algorithm and token type) + Payload (claims: iss, sub, aud, exp, iat, etc.) + Signature. All three parts are Base64url-encoded and joined with periods.
What are common JWT claims?
iss (issuer), sub (subject/user ID), aud (audience), exp (expiration Unix timestamp), iat (issued at), nbf (not before), jti (JWT ID).