swrrvv

JWT Decoder

This free JWT decoder allows you to instantly decode and inspect JSON Web Tokens to view their header and payload contents. All decoding is done locally in your browser to keep your tokens private.

Advertisement

Paste a JWT above to decode it

JWT Decoders: Peeking Inside the “Secret” Envelope

If you've ever built a modern web app, you've likely seen a string that looks like a jumbled mess of characters divided by two dots. That is a JSON Web Token (JWT).

A JWT Decoder is a tool that allows you to take that string and see exactly what information is being passed between a client and a server. But there's a catch: Decoding is not the same as verifying.

The Anatomy of a JWT

A JWT is composed of three parts, each separated by a period (.):

  1. Header: Contains metadata about the token, typically the type (JWT) and the hashing algorithm used (like HS256 or RS256).
  2. Payload: The meat of the token. This contains the “claims”—pieces of information like the user’s ID, their name, or their permissions.
  3. Signature: This is the security guard. It's created by taking the encoded header, the encoded payload, and a secret key, then hashing them together.

How a Decoder Works

Here is the most important thing to remember: The Header and Payload are just Base64URL encoded.

Because Base64 is not encryption, a “decoder” doesn't need a password or a key to show you what's inside. It simply reverses the Base64 encoding to reveal the JSON data. This is why you should never put sensitive secrets (like a user's password or social security number) inside a JWT.

Why Do We Use Them?

JWTs are the gold standard for Stateless Authentication..

  • The Problem: Traditional sessions require the server to remember every logged-in user in a database.
  • The JWT Solution: The server gives the user a signed token. The next time the user makes a request, they show the token. The server checks the Signature to ensure the data hasn't been tampered with. If the signature matches, the server trusts the data inside without having to look anything up in a database.

Decoding vs. Verifying

  • Decoding: Anyone can do this. You take the string, run it through a Base64 decoder, and read the JSON.
  • Verifying: Only the server (or someone with the secret key) can do this. Verifying ensures that the payload hasn't been changed. If an attacker changes the user_id from 123 to 001 in the payload, the Signature will no longer match, and the server will reject it.

Best Practices for Developers

  • Keep it Lean: JWTs are sent with every single request. Keep the payload small to save bandwidth.
  • Verifying: Check the Expiration: Always include an exp (expiration) claim so the token doesn't live forever if stolen.
  • Use HTTPS: Since JWTs are easily decoded, always transmit them over encrypted HTTPS to prevent “Man-in-the-Middle” attacks.
  • Secure Your Secret: The security of your entire application depends on the secret key used to sign the token. Use a strong, random key and never check it into source control.

Related Tools

Advertisement