JWT Decoder

About JWT Decoder

JSON Web Tokens (JWTs) are the standard method for transmitting authentication and authorization claims between a client and server in modern web applications. Defined by RFC 7519, a JWT consists of three Base64URL-encoded parts separated by dots: the header (algorithm and token type), the payload (claims about the user and metadata), and the signature (cryptographic verification). A JWT decoder is an essential debugging tool for developers working with OAuth 2.0, OpenID Connect, and API authentication -- letting you instantly inspect token contents, check expiration times, and verify claim values without writing any code.

JWT Claims Quick Reference

JWTs include registered claims defined by RFC 7519: iss (issuer), sub (subject/user ID), aud (audience), exp (expiration time as Unix timestamp), nbf (not valid before), iat (issued at), and jti (unique token ID). Custom claims like role, email, and permissions are application-specific. The exp claim is critical for security -- tokens should have short lifetimes (15 minutes to 1 hour for access tokens) and be refreshed using longer-lived refresh tokens stored securely.

Common JWT signing algorithms include HS256 (HMAC with SHA-256, using a shared secret), RS256 (RSA with SHA-256, using public/private key pair), and ES256 (ECDSA with P-256 curve). RS256 is recommended for production APIs because the public key can be shared without compromising security, enabling token verification without exposing the signing key. This decoder shows the algorithm in the header, all claims in the payload, and the signature hash -- but does not verify signatures, as that requires the secret key which should never be exposed in a client-side tool.